Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DkvES47bkt.exe

Overview

General Information

Sample name:DkvES47bkt.exe
renamed because original name is a hash value
Original sample name:2279710d7e98be4879dd5f1256e6cd51.exe
Analysis ID:1586489
MD5:2279710d7e98be4879dd5f1256e6cd51
SHA1:da329d9800345202e606c80ae204e43c31fa515b
SHA256:d46745c119fed12e116f9fe733bea4a562960f1bf86c4846132ad589ac8b65d1
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Drops executables to the windows directory (C:\Windows) and starts them
Drops large PE files
Machine Learning detection for sample
Modifies the windows firewall
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DkvES47bkt.exe (PID: 5012 cmdline: "C:\Users\user\Desktop\DkvES47bkt.exe" MD5: 2279710D7E98BE4879DD5F1256E6CD51)
    • WmiPrvSE.exe (PID: 1220 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 3416 cmdline: "CMD" netsh advfirewall firewall add rule name=",%MUc}<NcMKXc_" dir=in action=allow program="C:\Windows\System32\Defender.exe" enable=yes & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3412 cmdline: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 800 cmdline: schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • Defender.exe (PID: 2496 cmdline: C:\Windows\System32\Defender.exe MD5: 1ED3FDE9037B9FEAB60CCF4E571B07BB)
    • WerFault.exe (PID: 3460 cmdline: C:\Windows\system32\WerFault.exe -u -p 2496 -s 1300 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • Defender.exe (PID: 2432 cmdline: C:\Windows\System32\Defender.exe MD5: 1ED3FDE9037B9FEAB60CCF4E571B07BB)
    • WerFault.exe (PID: 6080 cmdline: C:\Windows\system32\WerFault.exe -u -p 2432 -s 1368 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • Defender.exe (PID: 4620 cmdline: C:\Windows\System32\Defender.exe MD5: 1ED3FDE9037B9FEAB60CCF4E571B07BB)
    • WerFault.exe (PID: 5204 cmdline: C:\Windows\system32\WerFault.exe -u -p 4620 -s 1360 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exit, CommandLine: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\DkvES47bkt.exe", ParentImage: C:\Users\user\Desktop\DkvES47bkt.exe, ParentProcessId: 5012, ParentProcessName: DkvES47bkt.exe, ProcessCommandLine: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exit, ProcessId: 3412, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exit, CommandLine: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\DkvES47bkt.exe", ParentImage: C:\Users\user\Desktop\DkvES47bkt.exe, ParentProcessId: 5012, ParentProcessName: DkvES47bkt.exe, ProcessCommandLine: "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exit, ProcessId: 3412, ProcessName: cmd.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Windows\System32\Defender.exeAvira: detection malicious, Label: TR/Crypt.OPACK.Gen
Multi AV Scanner detection for submitted file
Source: DkvES47bkt.exeReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
Machine Learning detection for sample
Source: DkvES47bkt.exeJoe Sandbox ML: detected
Source: DkvES47bkt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbg% source: Defender.exe, 00000010.00000002.2755503459.00000000007AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System32\Defender.PDB source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb" source: WERD73F.tmp.dmp.18.dr
Source: Binary string: C:\Windows\System32\Defender.PDBx7 source: Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 4{34e089\mscorlib.pdb source: Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb0 source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb*J source: Defender.exe, 00000009.00000002.2353890158.000000001B1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 0C:\Windows\mscorlib.pdb source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp, Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Core.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbTHnu source: Defender.exe, 00000009.00000002.2345248529.0000000000892000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb$J source: Defender.exe, 00000009.00000002.2353890158.000000001B1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: osymbols\dll\mscorlib.pdbpdbHAE4 source: Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb$%OW source: Defender.exe, 00000010.00000002.2755503459.00000000007AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Defender.exe, 00000009.00000002.2345248529.0000000000892000.00000004.00000020.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdbMZ@ source: WER3811.tmp.dmp.14.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: mscorlib.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbcolsSect` source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbx source: Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32X-b source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbo source: Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 34e089\mscorlib.pdb source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: xsymbols\dll\mscorlib.pdbpdbHAE4 source: Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: .pdb<PSu source: Defender.exe, 00000009.00000002.2345248529.0000000000892000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: Microsoft Package Negotiatorib.pdb source: Defender.exe, 00000009.00000002.2353890158.000000001B1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\System32\Defender.PDB source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Configuration.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: symbols\dll\mscorlib.pdbpdbHAE4 source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: r34e089\mscorlib.pdb source: Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WERD73F.tmp.dmp.18.dr
Source: Binary string: mscorlib.pdb source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3343729928.000000001B128000.00000004.00000020.00020000.00000000.sdmp, WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Management.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Core.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\System32\Defender.PDBvJ source: Defender.exe, 00000009.00000002.2353890158.000000001B1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb} source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System32\Defender.PDBo7 source: Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: indoC:\Windows\mscorlib.pdb source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp, Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: lib.pdb} source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: global trafficTCP traffic: 192.168.2.6:49783 -> 147.185.221.24:61069
Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: et-seattle.gl.at.ply.gg
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0$
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://s.symcd.com06
Source: DkvES47bkt.exe, 00000000.00000002.2266362731.00000000027E6000.00000004.00000800.00020000.00000000.sdmp, Defender.exe, 00000009.00000002.2345921597.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, Defender.exe, 00000010.00000002.2756227532.0000000002386000.00000004.00000800.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3334172631.0000000002626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: DkvES47bkt.exe, Defender.exe.0.drString found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to capture screen (.Net source)
Source: DkvES47bkt.exe, QEEFRJhvySTxMB.cs.Net Code: zZqXIBvmIbEvDhSnLgO
Source: Defender.exe.0.dr, QEEFRJhvySTxMB.cs.Net Code: zZqXIBvmIbEvDhSnLgO

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\DkvES47bkt.exeFile dump: Defender.exe.0.dr 756421863Jump to dropped file
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD345717CD NtProtectVirtualMemory,16_2_00007FFD345717CD
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD345717CD NtProtectVirtualMemory,19_2_00007FFD345717CD
Source: C:\Users\user\Desktop\DkvES47bkt.exeFile created: C:\Windows\System32\Defender.exeJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD3454D5920_2_00007FFD3454D592
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD3454833A0_2_00007FFD3454833A
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD3454C7E60_2_00007FFD3454C7E6
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD345485590_2_00007FFD34548559
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD3454AD040_2_00007FFD3454AD04
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD3454A4DD0_2_00007FFD3454A4DD
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD345452280_2_00007FFD34545228
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD34548E300_2_00007FFD34548E30
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD3456D5929_2_00007FFD3456D592
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD345682FB9_2_00007FFD345682FB
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD3456C7E69_2_00007FFD3456C7E6
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD3456AD049_2_00007FFD3456AD04
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD3456A4DD9_2_00007FFD3456A4DD
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD345652289_2_00007FFD34565228
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD345655FA9_2_00007FFD345655FA
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD34568B569_2_00007FFD34568B56
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD3456D59216_2_00007FFD3456D592
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD34568E4016_2_00007FFD34568E40
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD345682FB16_2_00007FFD345682FB
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD345717CD16_2_00007FFD345717CD
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD3456C7E616_2_00007FFD3456C7E6
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD3456AD0416_2_00007FFD3456AD04
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD3456A4DD16_2_00007FFD3456A4DD
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD3456F98016_2_00007FFD3456F980
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD3456522816_2_00007FFD34565228
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD345655FA16_2_00007FFD345655FA
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD34568B5616_2_00007FFD34568B56
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD34570F8D16_2_00007FFD34570F8D
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD3456D59219_2_00007FFD3456D592
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD34568E4019_2_00007FFD34568E40
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD345682FB19_2_00007FFD345682FB
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD345717CD19_2_00007FFD345717CD
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD3456C7E619_2_00007FFD3456C7E6
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD345728A419_2_00007FFD345728A4
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD3456AD0419_2_00007FFD3456AD04
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD3456A4DD19_2_00007FFD3456A4DD
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD3456F98019_2_00007FFD3456F980
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD3456522819_2_00007FFD34565228
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD345655FA19_2_00007FFD345655FA
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD34568B5619_2_00007FFD34568B56
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD34570F8D19_2_00007FFD34570F8D
Source: C:\Windows\System32\Defender.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2496 -s 1300
Source: DkvES47bkt.exeBinary or memory string: OriginalFilenameexplorerr) vs DkvES47bkt.exe
Source: Defender.exe.0.dr, tisnIiXyTCXvDDO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Defender.exe.0.dr, tisnIiXyTCXvDDO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Defender.exe.0.dr, WpAqmEEzEwNIXIzRzOYiu.csSecurity API names: File.GetAccessControl
Source: Defender.exe.0.dr, WpAqmEEzEwNIXIzRzOYiu.csSecurity API names: File.SetAccessControl
Source: DkvES47bkt.exe, lXExsaLrgYgEOOXK.csSecurity API names: File.GetAccessControl
Source: DkvES47bkt.exe, lXExsaLrgYgEOOXK.csSecurity API names: File.SetAccessControl
Source: DkvES47bkt.exe, lXExsaLrgYgEOOXK.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: Defender.exe.0.dr, lXExsaLrgYgEOOXK.csSecurity API names: File.GetAccessControl
Source: Defender.exe.0.dr, lXExsaLrgYgEOOXK.csSecurity API names: File.SetAccessControl
Source: Defender.exe.0.dr, lXExsaLrgYgEOOXK.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: DkvES47bkt.exe, tisnIiXyTCXvDDO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: DkvES47bkt.exe, tisnIiXyTCXvDDO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: DkvES47bkt.exe, WpAqmEEzEwNIXIzRzOYiu.csSecurity API names: File.GetAccessControl
Source: DkvES47bkt.exe, WpAqmEEzEwNIXIzRzOYiu.csSecurity API names: File.SetAccessControl
Source: classification engineClassification label: mal100.spyw.evad.winEXE@16/14@1/1
Source: C:\Users\user\Desktop\DkvES47bkt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DkvES47bkt.exe.logJump to behavior
Source: C:\Windows\System32\Defender.exeMutant created: NULL
Source: C:\Windows\System32\Defender.exeMutant created: \Sessions\1\BaseNamedObjects\kkepmy41u(qg%$l6
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2496
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4620
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2432
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\8622ac2a-5f79-4853-b63b-2b674e360602Jump to behavior
Source: DkvES47bkt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DkvES47bkt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DkvES47bkt.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: DkvES47bkt.exeReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\DkvES47bkt.exeFile read: C:\Users\user\Desktop\DkvES47bkt.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\DkvES47bkt.exe "C:\Users\user\Desktop\DkvES47bkt.exe"
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=",%MUc}<NcMKXc_" dir=in action=allow program="C:\Windows\System32\Defender.exe" enable=yes & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST
Source: unknownProcess created: C:\Windows\System32\Defender.exe C:\Windows\System32\Defender.exe
Source: C:\Windows\System32\Defender.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2496 -s 1300
Source: unknownProcess created: C:\Windows\System32\Defender.exe C:\Windows\System32\Defender.exe
Source: C:\Windows\System32\Defender.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2432 -s 1368
Source: unknownProcess created: C:\Windows\System32\Defender.exe C:\Windows\System32\Defender.exe
Source: C:\Windows\System32\Defender.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4620 -s 1360
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=",%MUc}<NcMKXc_" dir=in action=allow program="C:\Windows\System32\Defender.exe" enable=yes & exitJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\Defender.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\Defender.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\Defender.exeSection loaded: version.dll
Source: C:\Windows\System32\Defender.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\Defender.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\Defender.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\Defender.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\Defender.exeSection loaded: amsi.dll
Source: C:\Windows\System32\Defender.exeSection loaded: userenv.dll
Source: C:\Windows\System32\Defender.exeSection loaded: profapi.dll
Source: C:\Windows\System32\Defender.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\Defender.exeSection loaded: wldp.dll
Source: C:\Windows\System32\Defender.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\Defender.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\Defender.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\Defender.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\Defender.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\Defender.exeSection loaded: secur32.dll
Source: C:\Windows\System32\Defender.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\Defender.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\Defender.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\Defender.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\Defender.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\Defender.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\Defender.exeSection loaded: schannel.dll
Source: C:\Users\user\Desktop\DkvES47bkt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\Defender.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: DkvES47bkt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: DkvES47bkt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbg% source: Defender.exe, 00000010.00000002.2755503459.00000000007AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System32\Defender.PDB source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb" source: WERD73F.tmp.dmp.18.dr
Source: Binary string: C:\Windows\System32\Defender.PDBx7 source: Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 4{34e089\mscorlib.pdb source: Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb0 source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb*J source: Defender.exe, 00000009.00000002.2353890158.000000001B1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 0C:\Windows\mscorlib.pdb source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp, Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Core.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbTHnu source: Defender.exe, 00000009.00000002.2345248529.0000000000892000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb$J source: Defender.exe, 00000009.00000002.2353890158.000000001B1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: osymbols\dll\mscorlib.pdbpdbHAE4 source: Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb$%OW source: Defender.exe, 00000010.00000002.2755503459.00000000007AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Defender.exe, 00000009.00000002.2345248529.0000000000892000.00000004.00000020.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdbMZ@ source: WER3811.tmp.dmp.14.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: mscorlib.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbcolsSect` source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbx source: Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32X-b source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbo source: Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 34e089\mscorlib.pdb source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: xsymbols\dll\mscorlib.pdbpdbHAE4 source: Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: .pdb<PSu source: Defender.exe, 00000009.00000002.2345248529.0000000000892000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: Microsoft Package Negotiatorib.pdb source: Defender.exe, 00000009.00000002.2353890158.000000001B1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\System32\Defender.PDB source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Configuration.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: symbols\dll\mscorlib.pdbpdbHAE4 source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: r34e089\mscorlib.pdb source: Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WERD73F.tmp.dmp.18.dr
Source: Binary string: mscorlib.pdb source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3343729928.000000001B128000.00000004.00000020.00020000.00000000.sdmp, WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Management.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Core.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: \??\C:\Windows\System32\Defender.PDBvJ source: Defender.exe, 00000009.00000002.2353890158.000000001B1A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb} source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System32\Defender.PDBo7 source: Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: indoC:\Windows\mscorlib.pdb source: Defender.exe, 00000009.00000002.2354115196.000000001B398000.00000004.00000010.00020000.00000000.sdmp, Defender.exe, 00000010.00000002.2761147041.000000001B138000.00000004.00000010.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3344029888.000000001B2C8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: lib.pdb} source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERD73F.tmp.dmp.18.dr, WERB914.tmp.dmp.21.dr, WER3811.tmp.dmp.14.dr

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: DkvES47bkt.exe, GprCBzVajSFPhcvMz.cs.Net Code: NMmrnMiPoxTKxWYciysWlr System.Reflection.Assembly.Load(byte[])
Source: DkvES47bkt.exe, EwsvuuRydySCmvfwUdTl.cs.Net Code: FyRyFitGWcSvLUVgQQryVi System.AppDomain.Load(byte[])
Source: DkvES47bkt.exe, EwsvuuRydySCmvfwUdTl.cs.Net Code: FyRyFitGWcSvLUVgQQryVi
Source: Defender.exe.0.dr, GprCBzVajSFPhcvMz.cs.Net Code: NMmrnMiPoxTKxWYciysWlr System.Reflection.Assembly.Load(byte[])
Source: Defender.exe.0.dr, EwsvuuRydySCmvfwUdTl.cs.Net Code: FyRyFitGWcSvLUVgQQryVi System.AppDomain.Load(byte[])
Source: Defender.exe.0.dr, EwsvuuRydySCmvfwUdTl.cs.Net Code: FyRyFitGWcSvLUVgQQryVi
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD345400BD pushad ; iretd 0_2_00007FFD345400C1
Source: C:\Users\user\Desktop\DkvES47bkt.exeCode function: 0_2_00007FFD34548169 push ebx; ret 0_2_00007FFD3454816A
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD345600BD pushad ; iretd 9_2_00007FFD345600C1
Source: C:\Windows\System32\Defender.exeCode function: 9_2_00007FFD34568169 push ebx; ret 9_2_00007FFD3456816A
Source: C:\Windows\System32\Defender.exeCode function: 16_2_00007FFD34568169 push ebx; ret 16_2_00007FFD3456816A
Source: C:\Windows\System32\Defender.exeCode function: 19_2_00007FFD34568169 push ebx; ret 19_2_00007FFD3456816A
Source: DkvES47bkt.exe, GprCBzVajSFPhcvMz.csHigh entropy of concatenated method names: '_003CPatchMem_003Eb__0', 'WYpgNUnjwEYMhBcgWYlMeqbwj', 'NMmrnMiPoxTKxWYciysWlr', 'QuyKVUgxswZG', 'wFQLeSMeNMbPoBIdEM', 'WEVxpCMvIA', 'NYQxfchgsTfdDiXvhS', 'UokWjXaHbJRXEemyC', 'rWfvXTjrbSPRGfcjfldCgaFVG', 'bwbyQjVwqwtZQQnsv'
Source: DkvES47bkt.exe, AgGuxbclsJDKUXCF.csHigh entropy of concatenated method names: 'PgBtGwUrqzqNZCUoKeqOHE', 'uciUipnmdWskfbbukmD', 'bmYTGiVKsMrg', 'AGRXclBCMNqgS', 'NikFbDwDHDPNAUcuQfMZeU', 'XHABEPZhmotIb', 'GPcOxzNHOlha', 'wLTsKsYMybBrniW', 'ZGMAlKPjKgVwPtOUex', 'VTvjPDvIobXKQreofUZ'
Source: DkvES47bkt.exe, KxxSSIzaCTUHBCvRNLqyDXZ.csHigh entropy of concatenated method names: 'TgaEpLqydIyuWCaHNS', 'mhcftdlvvpWnmYUymhulqdVe', 'DBvKkjllbnvrAhbEPuJHUMW', 'DoZThFJLym', 'cqlKFkCKkYHlzTgbiMWYrf', 'GwJSDWdksNryOejDXSBlcvDZ', 'AeaycOxxwe', 'wRyoHoPXIUSwyJ', 'GqtQKsjSDrClPzuBRzVHFUMdo', 'fRfhhcpdIHDfTVMzuwE'
Source: DkvES47bkt.exe, tisnIiXyTCXvDDO.csHigh entropy of concatenated method names: 'iJnrHhQxpVf', 'afkSbpIpfAFPRx', 'noTZewWYBUkKLSu', 'nCHXoSFTOuYXiEXaKQdIWwBTE', 'ixrewXlCRNJa', 'VizKjXzqwwJAvplcqA', 'ThjHbjxAmgmKQjnHaWlSvE', 'lAieBizZaMVHvlb', 'blXMJJmtQIhLFFisO', 'xGtFwRnGMyucrWz'
Source: DkvES47bkt.exe, VoFTVipipkK.csHigh entropy of concatenated method names: 'VMantYKYfAnacPRV', 'DQtAcwiaBZQaoUKaKqmcuoiCw', 'VBfrFRUkmUQUsPsMs', 'uxqfdzRZesDOhrECbhuJTzFEi', 'JqyWkhvjIzjpXfagmbhXmZ', 'pnKSjfvrmxnpaaI', 'VSyjETmJOjmM', 'XKDkZJjZPMDNHwrkpzF', 'SLEoqLVAADzsiNPmkFB', 'YjGGuVxXvZYkgiL'
Source: DkvES47bkt.exe, LORYroboCXxqjpTmhsXqFkvZK.csHigh entropy of concatenated method names: 'ArLDvgByOLypWkkSBihjSpzIh', 'sVsaSsNtokczcRpk', 'HnrWmGmiNsaeLrDWco', 'GntGbcwzpCGPthOrUpx', 'OFrFznPcsZc', 'cJemOhQupG', 'gGchxxzjgeiQBwoGoNUHQZGnk', 'bdmZCQIHLyX', 'RftpwVtscqZ', 'bgVzgHzpwtVVwHbSIt'
Source: DkvES47bkt.exe, DDkXafHupjcDyMCFpVaefrMq.csHigh entropy of concatenated method names: 'qCGRdOsVhMwopUbX', 'jnSGDElovbagPMrtBj', 'BdLVjhRzGQzBzHCIZY', 'nyUdhmSpSAEunk', 'WzXRjZmEfXvZaZNDSVmwdgzei', 'ryzBWMRAkCkHopA', 'pFlNsPEwmZBoUpAtjShnEdBj', 'aoKTKgxvjqts', 'YbuDOwKdfuCrXWHN', 'LECFRbtdbtDslzGBOtFtAP'
Source: DkvES47bkt.exe, OLCRwsTtwxxSGZuMngxi.csHigh entropy of concatenated method names: 'STWcrGlCPAYMVdXTCakSo', 'EXEssEuclOoxwsgoE', 'hrgwYFkwWskGMPwuOyYzO', 'HnPKYYhfmOVykwrHyyHw', 'BreCYBCdhQEYAjshOhMP', 'FWkNfzCGAZsRAFwkIzWfBFx', 'akNzakQugqwUtot', 'zXhqLGzdww', 'hqkpAZTnumC', 'PJylKJbrTFUfeXGFTkj'
Source: DkvES47bkt.exe, nkKpBsREeeBrrJgLniKFn.csHigh entropy of concatenated method names: 'uPkrNGBgDoNjgrSgOmrox', 'tJdcdXdhIRyApvFJfLCy', 'NeIdpsHUXOypNVbNkc', 'CWfvlfBXaEHglzFgfUz', 'eWMkDzLcZdwuiYvEhiXynU', 'QQiNpHpwtlozgKuslTZ', 'xINxNDBywxBAJqvUUmWUkgDJu', 'PumplfOWiICkzlGrA', 'jnpqOZXzwFOQFDDpoHLGLWmn', 'nSkmkNsgHZHi'
Source: DkvES47bkt.exe, OwtFvyBkOpRRzc.csHigh entropy of concatenated method names: 'DCLFoZlKenZ', 'CgtqbJuoLKkbarxoqh', 'DPnuJlizndmPSVVyDVyqH', 'ottRkewcwTw', 'VNPmkFsKHL', 'uSFFsuTsreybuBsAE', 'LgTSRzIjQl', 'yxycUyyfZDhdaFWXlVkrEnH', 'eFcBGwJdizthAyZDtVfydDsN', 'bXOgtpKpCyPWwYcuEvaLpXmv'
Source: DkvES47bkt.exe, vTsoiPoBagCkfnEE.csHigh entropy of concatenated method names: 'AGXlggLTczEETmLnHvVvVfz', 'mWyAVsqBZzpXkkPmgUG', 'kxGurwXriJVUHrz', 'iLyjICeTwnCWg', 'PAZiupPEJYUySQeVQtlE', 'VVWHiSmxDuA', 'zuUuYwJudBaOK', 'OpbXJlbeueDbMWdHGeUn', 'WKarwbKbTvHxyEx', 'fkPjVAprxknRWuwu'
Source: DkvES47bkt.exe, ogkoRtQNRnFHYCnvNGTSgt.csHigh entropy of concatenated method names: 'oOnwkySUEoBZ', 'FbzfjIHajOZmiphQxTIvYwZdx', 'PySATXdopmGojYmgFAO', 'CIkEHUteZJBVi', 'tIIivBJtzvJ', 'kjJrrZPneGNO', 'yezOgklGffdYWEMAIJpuxjJ', 'iRcFuZmutpwXKfSL', 'DEEgSUUCmWwYUvPUe', 'OHfLGsiehHoqcrdVufF'
Source: DkvES47bkt.exe, kInYBznLcEoeuDSs.csHigh entropy of concatenated method names: 'yWUqFwYbPOyiIfALmotlTxK', 'HotTDfGtAOhQjefMP', 'llpcTYoSIOZGWAMxiQCEYjHEi', 'yjcHJgWWMZheVUekXsTtrgDl', 'PKKYCdkuYaEqAEsjzonPDvhZ', 'MOkoDSgqLuWMxJvwkwuZtW', 'bKrrQWsTclkpOAGVIYAoKW', 'BerTTzmzuqbJeLaPU', 'ataNUgweamBthdE', 'pNYDZUplqznqbKiJgWjdw'
Source: DkvES47bkt.exe, lXExsaLrgYgEOOXK.csHigh entropy of concatenated method names: 'UwIbcfQhBviOX', 'cHxslOlqBYCceRobCYTdkZ', 'sJroPreddJ', 'ExRVmvaevkZzBzsZtJvtC', 'FFjtaVzWuZ', 'tMqKgmXDGeRTJqp', 'SlThPiCsLlsVFfYpz', 'ImBOMWYqvXnlaDlyglar', 'KKyyvuBxbFb', 'ciCUDZwJZneFaLpk'
Source: DkvES47bkt.exe, gBeJmXXsXHezdPh.csHigh entropy of concatenated method names: 'eUDcfhQyzzyEOUmAxDQN', 'lmsKaeQoSgVylMzBA', 'ylfJmZSeDVdBZyULthLSE', 'zJhSdFcHmyx', 'RbrbzTrwbvLRHWe', 'TSqihvmVcUvMBwjeEI', 'sUSisaIcEyQLGbCoUIOk', 'pVzfXfueLgNzqmFBk', 'HYSiXLJplyIPVpYJDzSCVvNxs', 'DMQpwnjLGLEHynW'
Source: DkvES47bkt.exe, EwsvuuRydySCmvfwUdTl.csHigh entropy of concatenated method names: 'LvCpvdStvFLfKcjkzIm', 'OTwhHeTfhdsyCEsB', 'FyRyFitGWcSvLUVgQQryVi', 'JmLRMNcFjivuJUW', 'lDakBAkVJWRm', 'BDUXhIMuQgtuWjNQaMLtHF', 'uxPICpIqvpSiebWbMKOUWhpf', 'XFiKFsgvIZZSAJE', 'qxEEAioEkzjt', 'ZNIkqfjZfpxlmWCwJMAJM'
Source: DkvES47bkt.exe, QEEFRJhvySTxMB.csHigh entropy of concatenated method names: 'aDNCrkYOApwXNfzcDoeqHTo', 'oCobulrMvsWPQUkcspDQVmTP', 'qPIhKkHPTNpwwUPxjcUJjMjEB', 'SPXYCiYcDViflIPAwGugvUoSl', 'zGPegEfLRrrvL', 'YTQtPErLujPc', 'VCxaFmsjSNZp', 'zZqXIBvmIbEvDhSnLgO', 'uKIUQmISYFG', 'DlFRVWaOgWNasfBFZvGhKmi'
Source: DkvES47bkt.exe, jZWTVmmWOyYUMMRcqrgzxt.csHigh entropy of concatenated method names: 'ebNNwrzjWnUktguoiZGMylOI', 'MzLyzOspersHZpfP', 'CgscXvwDxaqhwt', 'EtksnlWZbuPoC', 'JjbxjihQroDOuBnCHhy', 'CfFmbefHRhIGuXnrOkM', 'foCvoYqUlZmiq', 'dedoVFDazJgwUXNwn', 'UoAOcJxCnKWrvaQXt', 'NZOHHEpsPsET'
Source: DkvES47bkt.exe, jDcxkJFhdsO.csHigh entropy of concatenated method names: 'ZVTlUGzgCUxzHTc', 'pLyoVESOrBkIzZvCXj', 'MjNkMsfBPGdpQhesSuawUD', 'tSVqgcZubYd', 'rcalvpCDHNMTbV', 'dIxnVJfTSqCzYpMCRmRm', 'rIfGRAwfFCOKvw', 'dlIGMIHvsqeNvLvgKjRlA', 'gDJinMnnodsaYge', 'ZHjMmPnmBUKWD'
Source: DkvES47bkt.exe, MtweeSvrtsEjaEHkGcqcH.csHigh entropy of concatenated method names: 'DFiwVYdhZUOx', 'YRQgkFOHierWZwABKbbd', 'prwiwWNMSkU', 'WiSpwGWsAVaqZwccgP', 'nUcjaUxnjBuPuXuCNhLNUEk', 'TQFIAukgDrh', 'uzsVyTnrFFfT', 'tOuUBXikZPJPpmpQNMD', 'mIOpqPBQtyOkldHfpMBTyX', 'jjGJgybrtcetlAFe'
Source: DkvES47bkt.exe, OtMRnVOsGKHl.csHigh entropy of concatenated method names: 'OaJVtSKEyPaxQqAqb', 'AYiHvMpChJPGtAijBpNMbGp', 'PelUWeNCfT', 'MqHfxgrkBosV', 'OhpLdOPujgrRaUfDv', 'batVtuKPgkWnNX', 'LFppCYRDMdKP', 'XMLhFbQvgtnuBN', 'fYvSTJOOqNtoKWgrjexs', 'YohmHMfMBuBLjYoi'
Source: DkvES47bkt.exe, JjNonPeEqnKrhUWFcwVNuQ.csHigh entropy of concatenated method names: 'HumVdnzFHHCRoAp', 'svjgfSSfzqHTWdUvtQGtB', 'ARrhDkeCiEmKcSLjnocHVmgf', 'dmHYXtvlxuSoyPhAxICh', 'ACkJcSRtYNlMy', 'yXeKLqZfXsupYuHYed', 'WcjXOvberZhhczpjdSyrrmVer', 'ntXmAjHObxOzPP', 'MiFqKSpjKeFflGkGFfAIh', 'EYyZNYrUdCjH'
Source: DkvES47bkt.exe, vFtGvLdAuIQGYPbHNoGtunigD.csHigh entropy of concatenated method names: 'BohTfzMQNzNDrnTSGfvSzctK', 'kQyFHWNDAJoSadRuICctK', 'SabgDkkwZvXjuiNKFdAzqdeAg', 'eYraQRZnxY', 'aScSDktvqiigxwzsKGo', 'bABGMFyeFKHlpgfKXhntlEpT', 'rteRYOhIcCZRWGymOqgbxrQR', 'VdTvKWLhKVLUNhvZcMeFtB', 'oHXOIsyzcMdCkONSfO', 'LkmRAIkBVfmMuUCeomICo'
Source: DkvES47bkt.exe, XbJdqTwlJhtvvHI.csHigh entropy of concatenated method names: 'cQQnOSFXJkniwgH', 'CtFVrLKWlIexEaFmY', 'XIDtCEWlTGfNocZTtBCm', 'QGuBFnHTjfAKNJzVJr', 'yFrEqYTCXk', 'DklHGCJsxQPSkbeDbSax', 'JAoVYBDdlljjCbQYGCxMQ', 'kjnHdLUsjxmwujwliAFPLefi', 'AOfUQdlTPQFhRYrItCmw', 'ggbUUwGBiGD'
Source: DkvES47bkt.exe, TpneWzinmRLNNvomkAusssN.csHigh entropy of concatenated method names: 'IuRdXCfNaLeGuJEFSv', 'zBBLzbjMHFiAa', 'LVbhFPjlxnBRhsbwpa', 'gOaHiRBnqYIrKDfincXNfcODN', 'itrkLPIDuNlOt', 'DctNpwrNCJoTRM', 'EzXtYjIvFMsiHJS', 'ZjHKDiBNRSUriwsyvlpNOUUgv', 'oBwNkEkMPjJCOVyJcFO', 'NITunVTEjEPbPXu'
Source: DkvES47bkt.exe, WpAqmEEzEwNIXIzRzOYiu.csHigh entropy of concatenated method names: 'xCQxqDhktAiNXUabbXDUuhnau', 'tGJXUzpZsyZoNASUCMZJk', 'rXnAeZCPPqDFKaaVgjX', 'ccBmJDCafaAkANPljUVQWcijl', 'pstggqmlDOVB', 'aXcjopSFwKplLNHcztSABNK', 'zuKyOKBQidutustuTCsh', 'uUcfJDVDApN', 'ukueUqmJZDiTO', 'GzXhyUcdEZiTEGfMhohg'
Source: DkvES47bkt.exe, avfHckAjbIOftjcvbDvZXrf.csHigh entropy of concatenated method names: 'YzCIvbnXWQBODZHdYFCd', 'NKwQlKHrQVjPyjchr', 'zUrIdiNsBvRASoBJKpGrKQ', 'fFvSzEqevhRCJgEhNCs', 'LZQDuOpYnbzd', 'oLDhQOoLRVSAlscGHspR', 'UGprXkORrUhn', 'UVAzxnEwuDxCIVNR', 'jKMaTENqsdZuZBlNSYH', 'IuBMMaCspOP'
Source: DkvES47bkt.exe, XOWrfubIFwwWSRBCkfv.csHigh entropy of concatenated method names: 'GzXbQMXAGN', 'mwxeQIuYrPpc', 'GQHFLAVEzNYYrvaTWaCrnJZ', 'mltpHDkRXfUAESpG', 'DniZGZMUFVonkExqmSZGgxv', 'HBMaaOElvzkVqvgMhVB', 'wdmaXKSzPzMGrFRFNlur', 'DrkUbzqmNZKwMhd', 'lDQvEVvmdeleaz', 'aKSslBFwKbMBaBKeYorbievL'
Source: DkvES47bkt.exe, NCWTJiYmOo.csHigh entropy of concatenated method names: 'fdXRNOXStt', 'qgnMDAxeooZwPsjKWKTw', 'HeaGYfIPuIRJgLpfweYojzNG', 'HZdEBIZwljCMFeUpPufH', 'jgteZfvHMIRUZRGeLtArN', 'cnSrADyUFhyuYskZbceoZalr', 'NOLEAfPZoEGMifrIrDjW', 'tOumSXNYVBCaKnpnQEC', 'UkodNsxnfhXBVBUzRSiH', 'ASCDlYsCVb'
Source: DkvES47bkt.exe, JfAFbFqmPAXuSFACrag.csHigh entropy of concatenated method names: 'RkDnIXrgyetV', 'sVHoXFlXRvG', 'epDDikiPXN', 'cMxDNKolHBpajsOTV', 'kzpwkehncPuKFgfxebaBXNcK', 'ApPTLUQNUnNjgcSWaiYqwwIum', 'msUXXWfxkpRTRu', 'xktSOyzIexfETCEgVhx', 'YsxQqEirdEGQdNzLPcYO', 'kpZrSLvgIwlTMEEnccKQHe'
Source: DkvES47bkt.exe, UACsUQnggztSoYk.csHigh entropy of concatenated method names: 'VdSINmzcYlFUDFbLWy', 'fqUxahHlBoZLppD', 'uGVDiBZTjLSdbYhvpFF', 'AgsaFAyozZPezcgFBvkeR', 'OOOdKcHeWj', 'QcOOuxhClUJvodzrcutVa', 'zRdMbqVhVDgujzRq', 'yCbfgETazKke', 'cNJvcwliVrhEyGPuuzaln', 'TzpSNJlcfkClbSkoWUFYdLub'
Source: DkvES47bkt.exe, fxrViPtroaCbyONKrcHijo.csHigh entropy of concatenated method names: 'cGXWrGRrNpktfJDBwyi', 'MCfobByeOtYEqSPP', 'tBkWiomOVhBoa', 'kBSSZbjvpHncU', 'gCNtoqDwxzdOsZF', 'xqoioCXzpobxMdjF', 'ViSUHzkHnEToLiJp', 'JxolcdfNDAPGjTPY', 'XrnzqqEbAxDKeGRHrTmQisEn', 'DzUADkEQRKS'
Source: DkvES47bkt.exe, qmajBmcCnsP.csHigh entropy of concatenated method names: '_003CCheckWMI_003Eb__4_0', 'akoWoQJegFQzWGz', 'sLLtHQapfaLkpD', 'GhBLeixaxKaECT', 'FDgyYJtcIK', 'yqNEYpdrKSVuU', 'ukOigLYWdVIEqeEMEsBU', 'HMsllbLJjkILQeYfubylc', 'swUyynxOdtAxn', 'VxvjMMtlztaAfhKQC'
Source: DkvES47bkt.exe, JMLcPxDFGCfojQLRgfkS.csHigh entropy of concatenated method names: 'TgKyLZaRtKtJzsQ', 'gtWFAthDVcgaJGHLH', 'qfBeDYcoNslfkY', 'sAmOMSZyGciszHmCiBjBkXBp', 'dMgpRqsIfRFVxvxRguBVfdgap', 'eAWKUyxQjGt', 'plqkTqghkFlk', 'dAUSzfFAOMr', 'VxHYgLrXXFQevJqtISYPm', 'qydykanIaYy'
Source: DkvES47bkt.exe, UhBFJdricqufqaojV.csHigh entropy of concatenated method names: 'ZluADFKYEZvUcgzYxWc', 'LcxxXJKzdEkHCbwweT', 'vvkYRmHNOfRcRHuSwnw', 'tuLvAonSBjDtdtggbE', 'KQwwTLbTAIJAIiqjBko', 'dzpMecXzYbNqsHlMx', 'rjYVnKsjuLmJewmfCLajSqncv', 'uSHBwemDsEzHLfUuh', 'MOwREMFalOfBw', 'aOQZctOIXaEhguzvPXIaPgcc'
Source: DkvES47bkt.exe, prnQkWxyXENbjeKZECPLhTnn.csHigh entropy of concatenated method names: 'RauDLZwfTJkJZrHXrU', 'ZSRKucRvGrMVEzoSwCuMeRv', 'UaPeKInqzwNJAP', 'btdqnHofJl', 'KVwHLIWBqTMnlxDVV', 'meRgBTSBbIIf', 'GtlxSurkFnzZhPGssjlSXXHH', 'TcpKhOsKXFtAAlbeXgr', 'GUELIiYWMYjldTz', 'CaYZGPJJMrryKoz'
Source: DkvES47bkt.exe, ISaCjfIATBL.csHigh entropy of concatenated method names: 'gQsGvyIMyhFUMUyq', 'HdBWAJnBgCIBRMzoDmeHq', 'sdcEaNFqOgRPMYKzgHF', 'OwAKgUGgIiT', 'valXtviawqnbjCAadEFX', 'mRvdSXFGZh', 'NjTlnnGkYfHXIYaeUfC', 'cwgJIpuaYcT', 'JHOAjOnqxVyWeumEr', 'lbXcDRCKcxtfMwMkOAKauGs'
Source: DkvES47bkt.exe, WVihDmlAmRFUAdyEhT.csHigh entropy of concatenated method names: 'lcXdxSUGGnfVPqVnN', 'dNfzaclAov', 'DKYDOEzzsl', 'jfeNHvpeeqlEDF', 'mCurxeYGDcGRBlWnUOOdzUN', 'qLKRJRGUxVSxFBok', 'ZbkBdnsICRppc', 'SoYAmUHwmWlTgTYiTaeSatd', 'MXRIHAQfVczIgABQ', 'dpNPKHYjTxO'
Source: DkvES47bkt.exe, MWYDrsjTSJqoS.csHigh entropy of concatenated method names: 'qsTFEGzLlzHCnRKh', 'kVZucnSXyOYrEpBhFA', 'TrOFMAkZvpESJk', 'GTtYNEBhFsaThJGUiRwN', 'VQMtsNXiuwPGVjiogmJS', 'INmgCPpUWBMXA', 'DheVqezLvLMMaYgBemvYM', 'aMpyiNYvCj', 'yeGBRSoKxRaUppQo', 'WabbYAGRfsvlnzId'
Source: DkvES47bkt.exe, TJTvwBaIBQS.csHigh entropy of concatenated method names: 'fwlmloNajoHIlHgMA', 'HXgWEcAWhAJvnIgLMZ', 'mxTiaUeBKKoUNIaIvrIrJm', 'GMQoBycZvHXNeo', 'FCaapLtfwmNzkTEhgAiMWK', 'dDiktMpuvUGlFRixDNg', 'BozrFqarNvbSvWwX', 'azTGsRfeizPx', 'eyppeoDqeC', 'yhAsopjULqcNNOJXTNXrK'
Source: DkvES47bkt.exe, lczhEUcowbNWQ.csHigh entropy of concatenated method names: 'nrEZEgZidL', 'ImHNwZvxzK', 'vnnRPpKUMKNBwpKLnJm', 'zngwhUbABSZ', 'rJwRmmQjYJyqulL', 'lOHnMHfHHqkvOJSuk', 'JmssYAtCepopBwICOnKlEkep', 'vBUVOqEGybZft', 'HuJcpSRonnLuejzrYICicz', 'hQykjCUjWVxDruIoW'
Source: DkvES47bkt.exe, iICVrXHYKfHIpFQXbL.csHigh entropy of concatenated method names: 'rFzCejHzsNZCU', 'HSyQLGECpvftBnpvEGjQsUj', 'XmjXOKldmRh', 'RGQFHoQEXliTKwITSDynir', 'YWgneJBGjGBdypdJDEfjlDQ', 'RBRKiTuFaOriaA', 'uVfyMITKdptuiDIHUGTWd', 'rXQMwDkyujCSkNGFDFyqnVo', 'LBRGWcGeIBdHhALPa', 'uKrQSvBPCNXmEWisBvm'
Source: DkvES47bkt.exe, uJXvYHzEhxLOfc.csHigh entropy of concatenated method names: 'SNWxJjZpddDWZAUIe', 'dlfCzIGMwkhjbfRrwqr', 'seUTuRVlaDMphkC', 'uPOOrxnoHtCXEhEeRMmzQLI', 'mVlsYsCqdaxgcdavqfMA', 'xgsziYVyCaiHfb', 'LvQPrLuekYComqIl', 'HUpottpUgsazPYwBEjvOwJCDC', 'agjiHupiALlg', 'CauKTTeVAFmhGMW'
Source: DkvES47bkt.exe, JqoyJMwYkYeSSSLBCERtJfL.csHigh entropy of concatenated method names: '_003CRun_003Eb__1_0', 'eiLcBLWnxSzTbooKAH', 'jdfmOziWNDFxt', 'shTrcPinsNklrCmXVRYOlwywx', 'TpJjrUFVjGVTYscvlSC', 'IfkphnZeMviWtzvseI', 'PfVTfCCtglpKgtVV', 'FTBDubJoYyZZwjRdwmwmME', 'fustWkCcYdHnKGSUEMfHE', 'UkBYhkHYicAhWJCimD'
Source: DkvES47bkt.exe, huigHuEqBhxV.csHigh entropy of concatenated method names: 'xSzRXLdUGGB', 'ZKUsvmanhRBy', 'vZyEKNVIgqk', 'NjhhmbnhYi', 'jyFuXiXfRAOclfQwtfzt', 'jqhDsFvqNReNpOGE', 'yaILTBzHwBVeuCZ', 'PzHYqfccpDjjPvRJsagYlI', 'phwwEZLTPFYaOy', 'cTxgVQRQrAkMmUVADGj'
Source: DkvES47bkt.exe, sDxpENeYXPsYVcYDBrZBiKvaq.csHigh entropy of concatenated method names: 'lMRPIUZJwfRESTctpRH', 'OqlcEVUlOiIWzabSHIGXy', 'gslwZGZpUeTDP', 'apKnAnvOXvErrJmgKjnCKsrI', 'NMYNeCvKgrRyTXLQRVpshPPD', 'TjQNkhxCqmbWAssIhLSUir', 'clsXBPPywVaKT', 'xvJUwdkjuRcxjADxjFc', 'obsKwmboeAaiZdjPI', 'mObsrauEgP'
Source: DkvES47bkt.exe, WYdQIVjMOZZzFKSg.csHigh entropy of concatenated method names: 'xVmIWWPGmNsQwHeZFZzsKD', 'NuZjXgamrjtndQMzBOKVIqvS', 'vZAlToetaYNwnsa', 'aAhCTAJsZydAh', 'WzHRbHaBYuPtDryDNVjJi', 'NPyuPHLUKdMnCOpWQTkZbmn', 'xSuWkIRYEflrShrTp', 'jlhPokNqFQZ', 'ObbZxxNpjCMn', 'WcxEjbQkXCCrhdJIuCAz'
Source: DkvES47bkt.exe, fIEdZvXcpYAipTNh.csHigh entropy of concatenated method names: 'EgSyrpMyfurJMCyrIsjumlKCY', 'AfbyDBzvzsXWnTre', 'BgSdVCqgadnKTVPaVohXhqp', 'RCFUmFQCIrJVF', 'edkScYMkfXHwReKGLKrILSw', 'tVNkCcLuVcJDnPOR', 'hXiMpnlsBfzewhMgNYHLbiDLN', 'pUGTwwZKevOKEibsAw', 'PYvxWZqGGWyTW', 'OxRliiDElDQSDUZjjhHzxCuWk'
Source: DkvES47bkt.exe, ueHNMdjwjYBvgC.csHigh entropy of concatenated method names: 'KVvAMKuWDzYAKXvnmxTAjYSYH', 'HXDGRMJZqUXHDFzIEOodZY', 'lOxMCNlCXtXCXSwiLrkgaP', 'uOBbUEkdOjjSrTzGLFR', 'OfCbpHgcmo', 'NWjDyBlQynPJToAEOMkYbJO', 'OMZmMXIrasVwIQB', 'aoSMyWjnpCR', 'CPPDHSombzDbfX', 'bSDwyLeymqBSsclwKGsp'
Source: DkvES47bkt.exe, VgiXrAmmXM.csHigh entropy of concatenated method names: 'RlSpcTxUImVHRJThXP', 'UFtJFrybKqoQQdWbgICKPSM', 'PAZQNYTOWgsWXcMy', 'rneUWEdvinYVFcBsZtF', 'iOmWZtklADDvEfX', 'izsvvVekutRDrdyiHfw', 'BHvdTruejdQZEVJaBJW', 'jBcfbguXFVoYj', 'ebEPcDbAAQcrzVTXhxJjtzeP', 'mxWYOospJq'
Source: DkvES47bkt.exe, EiphzSFywDsQvfJ.csHigh entropy of concatenated method names: 'UguORtUtzui', 'dkKlBYhllU', 'PQlvpndBHrv', 'ulpsNbUzFBfoNQWBjyB', 'AZfxgyeGWsbIhFQA', 'fUKRUAOlwiYQb', 'IqbeUFrMPwNdNZW', 'HAWpDeqCfYQL', 'QGpuZSSGbwuUTFODrnoPp', 'YumPezZyvofczqYioH'
Source: Defender.exe.0.dr, GprCBzVajSFPhcvMz.csHigh entropy of concatenated method names: '_003CPatchMem_003Eb__0', 'WYpgNUnjwEYMhBcgWYlMeqbwj', 'NMmrnMiPoxTKxWYciysWlr', 'QuyKVUgxswZG', 'wFQLeSMeNMbPoBIdEM', 'WEVxpCMvIA', 'NYQxfchgsTfdDiXvhS', 'UokWjXaHbJRXEemyC', 'rWfvXTjrbSPRGfcjfldCgaFVG', 'bwbyQjVwqwtZQQnsv'
Source: Defender.exe.0.dr, AgGuxbclsJDKUXCF.csHigh entropy of concatenated method names: 'PgBtGwUrqzqNZCUoKeqOHE', 'uciUipnmdWskfbbukmD', 'bmYTGiVKsMrg', 'AGRXclBCMNqgS', 'NikFbDwDHDPNAUcuQfMZeU', 'XHABEPZhmotIb', 'GPcOxzNHOlha', 'wLTsKsYMybBrniW', 'ZGMAlKPjKgVwPtOUex', 'VTvjPDvIobXKQreofUZ'
Source: Defender.exe.0.dr, KxxSSIzaCTUHBCvRNLqyDXZ.csHigh entropy of concatenated method names: 'TgaEpLqydIyuWCaHNS', 'mhcftdlvvpWnmYUymhulqdVe', 'DBvKkjllbnvrAhbEPuJHUMW', 'DoZThFJLym', 'cqlKFkCKkYHlzTgbiMWYrf', 'GwJSDWdksNryOejDXSBlcvDZ', 'AeaycOxxwe', 'wRyoHoPXIUSwyJ', 'GqtQKsjSDrClPzuBRzVHFUMdo', 'fRfhhcpdIHDfTVMzuwE'
Source: Defender.exe.0.dr, tisnIiXyTCXvDDO.csHigh entropy of concatenated method names: 'iJnrHhQxpVf', 'afkSbpIpfAFPRx', 'noTZewWYBUkKLSu', 'nCHXoSFTOuYXiEXaKQdIWwBTE', 'ixrewXlCRNJa', 'VizKjXzqwwJAvplcqA', 'ThjHbjxAmgmKQjnHaWlSvE', 'lAieBizZaMVHvlb', 'blXMJJmtQIhLFFisO', 'xGtFwRnGMyucrWz'
Source: Defender.exe.0.dr, VoFTVipipkK.csHigh entropy of concatenated method names: 'VMantYKYfAnacPRV', 'DQtAcwiaBZQaoUKaKqmcuoiCw', 'VBfrFRUkmUQUsPsMs', 'uxqfdzRZesDOhrECbhuJTzFEi', 'JqyWkhvjIzjpXfagmbhXmZ', 'pnKSjfvrmxnpaaI', 'VSyjETmJOjmM', 'XKDkZJjZPMDNHwrkpzF', 'SLEoqLVAADzsiNPmkFB', 'YjGGuVxXvZYkgiL'
Source: Defender.exe.0.dr, LORYroboCXxqjpTmhsXqFkvZK.csHigh entropy of concatenated method names: 'ArLDvgByOLypWkkSBihjSpzIh', 'sVsaSsNtokczcRpk', 'HnrWmGmiNsaeLrDWco', 'GntGbcwzpCGPthOrUpx', 'OFrFznPcsZc', 'cJemOhQupG', 'gGchxxzjgeiQBwoGoNUHQZGnk', 'bdmZCQIHLyX', 'RftpwVtscqZ', 'bgVzgHzpwtVVwHbSIt'
Source: Defender.exe.0.dr, DDkXafHupjcDyMCFpVaefrMq.csHigh entropy of concatenated method names: 'qCGRdOsVhMwopUbX', 'jnSGDElovbagPMrtBj', 'BdLVjhRzGQzBzHCIZY', 'nyUdhmSpSAEunk', 'WzXRjZmEfXvZaZNDSVmwdgzei', 'ryzBWMRAkCkHopA', 'pFlNsPEwmZBoUpAtjShnEdBj', 'aoKTKgxvjqts', 'YbuDOwKdfuCrXWHN', 'LECFRbtdbtDslzGBOtFtAP'
Source: Defender.exe.0.dr, OLCRwsTtwxxSGZuMngxi.csHigh entropy of concatenated method names: 'STWcrGlCPAYMVdXTCakSo', 'EXEssEuclOoxwsgoE', 'hrgwYFkwWskGMPwuOyYzO', 'HnPKYYhfmOVykwrHyyHw', 'BreCYBCdhQEYAjshOhMP', 'FWkNfzCGAZsRAFwkIzWfBFx', 'akNzakQugqwUtot', 'zXhqLGzdww', 'hqkpAZTnumC', 'PJylKJbrTFUfeXGFTkj'
Source: Defender.exe.0.dr, nkKpBsREeeBrrJgLniKFn.csHigh entropy of concatenated method names: 'uPkrNGBgDoNjgrSgOmrox', 'tJdcdXdhIRyApvFJfLCy', 'NeIdpsHUXOypNVbNkc', 'CWfvlfBXaEHglzFgfUz', 'eWMkDzLcZdwuiYvEhiXynU', 'QQiNpHpwtlozgKuslTZ', 'xINxNDBywxBAJqvUUmWUkgDJu', 'PumplfOWiICkzlGrA', 'jnpqOZXzwFOQFDDpoHLGLWmn', 'nSkmkNsgHZHi'
Source: Defender.exe.0.dr, OwtFvyBkOpRRzc.csHigh entropy of concatenated method names: 'DCLFoZlKenZ', 'CgtqbJuoLKkbarxoqh', 'DPnuJlizndmPSVVyDVyqH', 'ottRkewcwTw', 'VNPmkFsKHL', 'uSFFsuTsreybuBsAE', 'LgTSRzIjQl', 'yxycUyyfZDhdaFWXlVkrEnH', 'eFcBGwJdizthAyZDtVfydDsN', 'bXOgtpKpCyPWwYcuEvaLpXmv'
Source: Defender.exe.0.dr, vTsoiPoBagCkfnEE.csHigh entropy of concatenated method names: 'AGXlggLTczEETmLnHvVvVfz', 'mWyAVsqBZzpXkkPmgUG', 'kxGurwXriJVUHrz', 'iLyjICeTwnCWg', 'PAZiupPEJYUySQeVQtlE', 'VVWHiSmxDuA', 'zuUuYwJudBaOK', 'OpbXJlbeueDbMWdHGeUn', 'WKarwbKbTvHxyEx', 'fkPjVAprxknRWuwu'
Source: Defender.exe.0.dr, ogkoRtQNRnFHYCnvNGTSgt.csHigh entropy of concatenated method names: 'oOnwkySUEoBZ', 'FbzfjIHajOZmiphQxTIvYwZdx', 'PySATXdopmGojYmgFAO', 'CIkEHUteZJBVi', 'tIIivBJtzvJ', 'kjJrrZPneGNO', 'yezOgklGffdYWEMAIJpuxjJ', 'iRcFuZmutpwXKfSL', 'DEEgSUUCmWwYUvPUe', 'OHfLGsiehHoqcrdVufF'
Source: Defender.exe.0.dr, kInYBznLcEoeuDSs.csHigh entropy of concatenated method names: 'yWUqFwYbPOyiIfALmotlTxK', 'HotTDfGtAOhQjefMP', 'llpcTYoSIOZGWAMxiQCEYjHEi', 'yjcHJgWWMZheVUekXsTtrgDl', 'PKKYCdkuYaEqAEsjzonPDvhZ', 'MOkoDSgqLuWMxJvwkwuZtW', 'bKrrQWsTclkpOAGVIYAoKW', 'BerTTzmzuqbJeLaPU', 'ataNUgweamBthdE', 'pNYDZUplqznqbKiJgWjdw'
Source: Defender.exe.0.dr, lXExsaLrgYgEOOXK.csHigh entropy of concatenated method names: 'UwIbcfQhBviOX', 'cHxslOlqBYCceRobCYTdkZ', 'sJroPreddJ', 'ExRVmvaevkZzBzsZtJvtC', 'FFjtaVzWuZ', 'tMqKgmXDGeRTJqp', 'SlThPiCsLlsVFfYpz', 'ImBOMWYqvXnlaDlyglar', 'KKyyvuBxbFb', 'ciCUDZwJZneFaLpk'
Source: Defender.exe.0.dr, gBeJmXXsXHezdPh.csHigh entropy of concatenated method names: 'eUDcfhQyzzyEOUmAxDQN', 'lmsKaeQoSgVylMzBA', 'ylfJmZSeDVdBZyULthLSE', 'zJhSdFcHmyx', 'RbrbzTrwbvLRHWe', 'TSqihvmVcUvMBwjeEI', 'sUSisaIcEyQLGbCoUIOk', 'pVzfXfueLgNzqmFBk', 'HYSiXLJplyIPVpYJDzSCVvNxs', 'DMQpwnjLGLEHynW'
Source: Defender.exe.0.dr, EwsvuuRydySCmvfwUdTl.csHigh entropy of concatenated method names: 'LvCpvdStvFLfKcjkzIm', 'OTwhHeTfhdsyCEsB', 'FyRyFitGWcSvLUVgQQryVi', 'JmLRMNcFjivuJUW', 'lDakBAkVJWRm', 'BDUXhIMuQgtuWjNQaMLtHF', 'uxPICpIqvpSiebWbMKOUWhpf', 'XFiKFsgvIZZSAJE', 'qxEEAioEkzjt', 'ZNIkqfjZfpxlmWCwJMAJM'
Source: Defender.exe.0.dr, QEEFRJhvySTxMB.csHigh entropy of concatenated method names: 'aDNCrkYOApwXNfzcDoeqHTo', 'oCobulrMvsWPQUkcspDQVmTP', 'qPIhKkHPTNpwwUPxjcUJjMjEB', 'SPXYCiYcDViflIPAwGugvUoSl', 'zGPegEfLRrrvL', 'YTQtPErLujPc', 'VCxaFmsjSNZp', 'zZqXIBvmIbEvDhSnLgO', 'uKIUQmISYFG', 'DlFRVWaOgWNasfBFZvGhKmi'
Source: Defender.exe.0.dr, jZWTVmmWOyYUMMRcqrgzxt.csHigh entropy of concatenated method names: 'ebNNwrzjWnUktguoiZGMylOI', 'MzLyzOspersHZpfP', 'CgscXvwDxaqhwt', 'EtksnlWZbuPoC', 'JjbxjihQroDOuBnCHhy', 'CfFmbefHRhIGuXnrOkM', 'foCvoYqUlZmiq', 'dedoVFDazJgwUXNwn', 'UoAOcJxCnKWrvaQXt', 'NZOHHEpsPsET'
Source: Defender.exe.0.dr, jDcxkJFhdsO.csHigh entropy of concatenated method names: 'ZVTlUGzgCUxzHTc', 'pLyoVESOrBkIzZvCXj', 'MjNkMsfBPGdpQhesSuawUD', 'tSVqgcZubYd', 'rcalvpCDHNMTbV', 'dIxnVJfTSqCzYpMCRmRm', 'rIfGRAwfFCOKvw', 'dlIGMIHvsqeNvLvgKjRlA', 'gDJinMnnodsaYge', 'ZHjMmPnmBUKWD'
Source: Defender.exe.0.dr, MtweeSvrtsEjaEHkGcqcH.csHigh entropy of concatenated method names: 'DFiwVYdhZUOx', 'YRQgkFOHierWZwABKbbd', 'prwiwWNMSkU', 'WiSpwGWsAVaqZwccgP', 'nUcjaUxnjBuPuXuCNhLNUEk', 'TQFIAukgDrh', 'uzsVyTnrFFfT', 'tOuUBXikZPJPpmpQNMD', 'mIOpqPBQtyOkldHfpMBTyX', 'jjGJgybrtcetlAFe'
Source: Defender.exe.0.dr, OtMRnVOsGKHl.csHigh entropy of concatenated method names: 'OaJVtSKEyPaxQqAqb', 'AYiHvMpChJPGtAijBpNMbGp', 'PelUWeNCfT', 'MqHfxgrkBosV', 'OhpLdOPujgrRaUfDv', 'batVtuKPgkWnNX', 'LFppCYRDMdKP', 'XMLhFbQvgtnuBN', 'fYvSTJOOqNtoKWgrjexs', 'YohmHMfMBuBLjYoi'
Source: Defender.exe.0.dr, JjNonPeEqnKrhUWFcwVNuQ.csHigh entropy of concatenated method names: 'HumVdnzFHHCRoAp', 'svjgfSSfzqHTWdUvtQGtB', 'ARrhDkeCiEmKcSLjnocHVmgf', 'dmHYXtvlxuSoyPhAxICh', 'ACkJcSRtYNlMy', 'yXeKLqZfXsupYuHYed', 'WcjXOvberZhhczpjdSyrrmVer', 'ntXmAjHObxOzPP', 'MiFqKSpjKeFflGkGFfAIh', 'EYyZNYrUdCjH'
Source: Defender.exe.0.dr, vFtGvLdAuIQGYPbHNoGtunigD.csHigh entropy of concatenated method names: 'BohTfzMQNzNDrnTSGfvSzctK', 'kQyFHWNDAJoSadRuICctK', 'SabgDkkwZvXjuiNKFdAzqdeAg', 'eYraQRZnxY', 'aScSDktvqiigxwzsKGo', 'bABGMFyeFKHlpgfKXhntlEpT', 'rteRYOhIcCZRWGymOqgbxrQR', 'VdTvKWLhKVLUNhvZcMeFtB', 'oHXOIsyzcMdCkONSfO', 'LkmRAIkBVfmMuUCeomICo'
Source: Defender.exe.0.dr, XbJdqTwlJhtvvHI.csHigh entropy of concatenated method names: 'cQQnOSFXJkniwgH', 'CtFVrLKWlIexEaFmY', 'XIDtCEWlTGfNocZTtBCm', 'QGuBFnHTjfAKNJzVJr', 'yFrEqYTCXk', 'DklHGCJsxQPSkbeDbSax', 'JAoVYBDdlljjCbQYGCxMQ', 'kjnHdLUsjxmwujwliAFPLefi', 'AOfUQdlTPQFhRYrItCmw', 'ggbUUwGBiGD'
Source: Defender.exe.0.dr, TpneWzinmRLNNvomkAusssN.csHigh entropy of concatenated method names: 'IuRdXCfNaLeGuJEFSv', 'zBBLzbjMHFiAa', 'LVbhFPjlxnBRhsbwpa', 'gOaHiRBnqYIrKDfincXNfcODN', 'itrkLPIDuNlOt', 'DctNpwrNCJoTRM', 'EzXtYjIvFMsiHJS', 'ZjHKDiBNRSUriwsyvlpNOUUgv', 'oBwNkEkMPjJCOVyJcFO', 'NITunVTEjEPbPXu'
Source: Defender.exe.0.dr, WpAqmEEzEwNIXIzRzOYiu.csHigh entropy of concatenated method names: 'xCQxqDhktAiNXUabbXDUuhnau', 'tGJXUzpZsyZoNASUCMZJk', 'rXnAeZCPPqDFKaaVgjX', 'ccBmJDCafaAkANPljUVQWcijl', 'pstggqmlDOVB', 'aXcjopSFwKplLNHcztSABNK', 'zuKyOKBQidutustuTCsh', 'uUcfJDVDApN', 'ukueUqmJZDiTO', 'GzXhyUcdEZiTEGfMhohg'
Source: Defender.exe.0.dr, avfHckAjbIOftjcvbDvZXrf.csHigh entropy of concatenated method names: 'YzCIvbnXWQBODZHdYFCd', 'NKwQlKHrQVjPyjchr', 'zUrIdiNsBvRASoBJKpGrKQ', 'fFvSzEqevhRCJgEhNCs', 'LZQDuOpYnbzd', 'oLDhQOoLRVSAlscGHspR', 'UGprXkORrUhn', 'UVAzxnEwuDxCIVNR', 'jKMaTENqsdZuZBlNSYH', 'IuBMMaCspOP'
Source: Defender.exe.0.dr, XOWrfubIFwwWSRBCkfv.csHigh entropy of concatenated method names: 'GzXbQMXAGN', 'mwxeQIuYrPpc', 'GQHFLAVEzNYYrvaTWaCrnJZ', 'mltpHDkRXfUAESpG', 'DniZGZMUFVonkExqmSZGgxv', 'HBMaaOElvzkVqvgMhVB', 'wdmaXKSzPzMGrFRFNlur', 'DrkUbzqmNZKwMhd', 'lDQvEVvmdeleaz', 'aKSslBFwKbMBaBKeYorbievL'
Source: Defender.exe.0.dr, NCWTJiYmOo.csHigh entropy of concatenated method names: 'fdXRNOXStt', 'qgnMDAxeooZwPsjKWKTw', 'HeaGYfIPuIRJgLpfweYojzNG', 'HZdEBIZwljCMFeUpPufH', 'jgteZfvHMIRUZRGeLtArN', 'cnSrADyUFhyuYskZbceoZalr', 'NOLEAfPZoEGMifrIrDjW', 'tOumSXNYVBCaKnpnQEC', 'UkodNsxnfhXBVBUzRSiH', 'ASCDlYsCVb'
Source: Defender.exe.0.dr, JfAFbFqmPAXuSFACrag.csHigh entropy of concatenated method names: 'RkDnIXrgyetV', 'sVHoXFlXRvG', 'epDDikiPXN', 'cMxDNKolHBpajsOTV', 'kzpwkehncPuKFgfxebaBXNcK', 'ApPTLUQNUnNjgcSWaiYqwwIum', 'msUXXWfxkpRTRu', 'xktSOyzIexfETCEgVhx', 'YsxQqEirdEGQdNzLPcYO', 'kpZrSLvgIwlTMEEnccKQHe'
Source: Defender.exe.0.dr, UACsUQnggztSoYk.csHigh entropy of concatenated method names: 'VdSINmzcYlFUDFbLWy', 'fqUxahHlBoZLppD', 'uGVDiBZTjLSdbYhvpFF', 'AgsaFAyozZPezcgFBvkeR', 'OOOdKcHeWj', 'QcOOuxhClUJvodzrcutVa', 'zRdMbqVhVDgujzRq', 'yCbfgETazKke', 'cNJvcwliVrhEyGPuuzaln', 'TzpSNJlcfkClbSkoWUFYdLub'
Source: Defender.exe.0.dr, fxrViPtroaCbyONKrcHijo.csHigh entropy of concatenated method names: 'cGXWrGRrNpktfJDBwyi', 'MCfobByeOtYEqSPP', 'tBkWiomOVhBoa', 'kBSSZbjvpHncU', 'gCNtoqDwxzdOsZF', 'xqoioCXzpobxMdjF', 'ViSUHzkHnEToLiJp', 'JxolcdfNDAPGjTPY', 'XrnzqqEbAxDKeGRHrTmQisEn', 'DzUADkEQRKS'
Source: Defender.exe.0.dr, qmajBmcCnsP.csHigh entropy of concatenated method names: '_003CCheckWMI_003Eb__4_0', 'akoWoQJegFQzWGz', 'sLLtHQapfaLkpD', 'GhBLeixaxKaECT', 'FDgyYJtcIK', 'yqNEYpdrKSVuU', 'ukOigLYWdVIEqeEMEsBU', 'HMsllbLJjkILQeYfubylc', 'swUyynxOdtAxn', 'VxvjMMtlztaAfhKQC'
Source: Defender.exe.0.dr, JMLcPxDFGCfojQLRgfkS.csHigh entropy of concatenated method names: 'TgKyLZaRtKtJzsQ', 'gtWFAthDVcgaJGHLH', 'qfBeDYcoNslfkY', 'sAmOMSZyGciszHmCiBjBkXBp', 'dMgpRqsIfRFVxvxRguBVfdgap', 'eAWKUyxQjGt', 'plqkTqghkFlk', 'dAUSzfFAOMr', 'VxHYgLrXXFQevJqtISYPm', 'qydykanIaYy'
Source: Defender.exe.0.dr, UhBFJdricqufqaojV.csHigh entropy of concatenated method names: 'ZluADFKYEZvUcgzYxWc', 'LcxxXJKzdEkHCbwweT', 'vvkYRmHNOfRcRHuSwnw', 'tuLvAonSBjDtdtggbE', 'KQwwTLbTAIJAIiqjBko', 'dzpMecXzYbNqsHlMx', 'rjYVnKsjuLmJewmfCLajSqncv', 'uSHBwemDsEzHLfUuh', 'MOwREMFalOfBw', 'aOQZctOIXaEhguzvPXIaPgcc'
Source: Defender.exe.0.dr, prnQkWxyXENbjeKZECPLhTnn.csHigh entropy of concatenated method names: 'RauDLZwfTJkJZrHXrU', 'ZSRKucRvGrMVEzoSwCuMeRv', 'UaPeKInqzwNJAP', 'btdqnHofJl', 'KVwHLIWBqTMnlxDVV', 'meRgBTSBbIIf', 'GtlxSurkFnzZhPGssjlSXXHH', 'TcpKhOsKXFtAAlbeXgr', 'GUELIiYWMYjldTz', 'CaYZGPJJMrryKoz'
Source: Defender.exe.0.dr, ISaCjfIATBL.csHigh entropy of concatenated method names: 'gQsGvyIMyhFUMUyq', 'HdBWAJnBgCIBRMzoDmeHq', 'sdcEaNFqOgRPMYKzgHF', 'OwAKgUGgIiT', 'valXtviawqnbjCAadEFX', 'mRvdSXFGZh', 'NjTlnnGkYfHXIYaeUfC', 'cwgJIpuaYcT', 'JHOAjOnqxVyWeumEr', 'lbXcDRCKcxtfMwMkOAKauGs'
Source: Defender.exe.0.dr, WVihDmlAmRFUAdyEhT.csHigh entropy of concatenated method names: 'lcXdxSUGGnfVPqVnN', 'dNfzaclAov', 'DKYDOEzzsl', 'jfeNHvpeeqlEDF', 'mCurxeYGDcGRBlWnUOOdzUN', 'qLKRJRGUxVSxFBok', 'ZbkBdnsICRppc', 'SoYAmUHwmWlTgTYiTaeSatd', 'MXRIHAQfVczIgABQ', 'dpNPKHYjTxO'
Source: Defender.exe.0.dr, MWYDrsjTSJqoS.csHigh entropy of concatenated method names: 'qsTFEGzLlzHCnRKh', 'kVZucnSXyOYrEpBhFA', 'TrOFMAkZvpESJk', 'GTtYNEBhFsaThJGUiRwN', 'VQMtsNXiuwPGVjiogmJS', 'INmgCPpUWBMXA', 'DheVqezLvLMMaYgBemvYM', 'aMpyiNYvCj', 'yeGBRSoKxRaUppQo', 'WabbYAGRfsvlnzId'
Source: Defender.exe.0.dr, TJTvwBaIBQS.csHigh entropy of concatenated method names: 'fwlmloNajoHIlHgMA', 'HXgWEcAWhAJvnIgLMZ', 'mxTiaUeBKKoUNIaIvrIrJm', 'GMQoBycZvHXNeo', 'FCaapLtfwmNzkTEhgAiMWK', 'dDiktMpuvUGlFRixDNg', 'BozrFqarNvbSvWwX', 'azTGsRfeizPx', 'eyppeoDqeC', 'yhAsopjULqcNNOJXTNXrK'
Source: Defender.exe.0.dr, lczhEUcowbNWQ.csHigh entropy of concatenated method names: 'nrEZEgZidL', 'ImHNwZvxzK', 'vnnRPpKUMKNBwpKLnJm', 'zngwhUbABSZ', 'rJwRmmQjYJyqulL', 'lOHnMHfHHqkvOJSuk', 'JmssYAtCepopBwICOnKlEkep', 'vBUVOqEGybZft', 'HuJcpSRonnLuejzrYICicz', 'hQykjCUjWVxDruIoW'
Source: Defender.exe.0.dr, iICVrXHYKfHIpFQXbL.csHigh entropy of concatenated method names: 'rFzCejHzsNZCU', 'HSyQLGECpvftBnpvEGjQsUj', 'XmjXOKldmRh', 'RGQFHoQEXliTKwITSDynir', 'YWgneJBGjGBdypdJDEfjlDQ', 'RBRKiTuFaOriaA', 'uVfyMITKdptuiDIHUGTWd', 'rXQMwDkyujCSkNGFDFyqnVo', 'LBRGWcGeIBdHhALPa', 'uKrQSvBPCNXmEWisBvm'
Source: Defender.exe.0.dr, uJXvYHzEhxLOfc.csHigh entropy of concatenated method names: 'SNWxJjZpddDWZAUIe', 'dlfCzIGMwkhjbfRrwqr', 'seUTuRVlaDMphkC', 'uPOOrxnoHtCXEhEeRMmzQLI', 'mVlsYsCqdaxgcdavqfMA', 'xgsziYVyCaiHfb', 'LvQPrLuekYComqIl', 'HUpottpUgsazPYwBEjvOwJCDC', 'agjiHupiALlg', 'CauKTTeVAFmhGMW'
Source: Defender.exe.0.dr, JqoyJMwYkYeSSSLBCERtJfL.csHigh entropy of concatenated method names: '_003CRun_003Eb__1_0', 'eiLcBLWnxSzTbooKAH', 'jdfmOziWNDFxt', 'shTrcPinsNklrCmXVRYOlwywx', 'TpJjrUFVjGVTYscvlSC', 'IfkphnZeMviWtzvseI', 'PfVTfCCtglpKgtVV', 'FTBDubJoYyZZwjRdwmwmME', 'fustWkCcYdHnKGSUEMfHE', 'UkBYhkHYicAhWJCimD'
Source: Defender.exe.0.dr, huigHuEqBhxV.csHigh entropy of concatenated method names: 'xSzRXLdUGGB', 'ZKUsvmanhRBy', 'vZyEKNVIgqk', 'NjhhmbnhYi', 'jyFuXiXfRAOclfQwtfzt', 'jqhDsFvqNReNpOGE', 'yaILTBzHwBVeuCZ', 'PzHYqfccpDjjPvRJsagYlI', 'phwwEZLTPFYaOy', 'cTxgVQRQrAkMmUVADGj'
Source: Defender.exe.0.dr, sDxpENeYXPsYVcYDBrZBiKvaq.csHigh entropy of concatenated method names: 'lMRPIUZJwfRESTctpRH', 'OqlcEVUlOiIWzabSHIGXy', 'gslwZGZpUeTDP', 'apKnAnvOXvErrJmgKjnCKsrI', 'NMYNeCvKgrRyTXLQRVpshPPD', 'TjQNkhxCqmbWAssIhLSUir', 'clsXBPPywVaKT', 'xvJUwdkjuRcxjADxjFc', 'obsKwmboeAaiZdjPI', 'mObsrauEgP'
Source: Defender.exe.0.dr, WYdQIVjMOZZzFKSg.csHigh entropy of concatenated method names: 'xVmIWWPGmNsQwHeZFZzsKD', 'NuZjXgamrjtndQMzBOKVIqvS', 'vZAlToetaYNwnsa', 'aAhCTAJsZydAh', 'WzHRbHaBYuPtDryDNVjJi', 'NPyuPHLUKdMnCOpWQTkZbmn', 'xSuWkIRYEflrShrTp', 'jlhPokNqFQZ', 'ObbZxxNpjCMn', 'WcxEjbQkXCCrhdJIuCAz'
Source: Defender.exe.0.dr, fIEdZvXcpYAipTNh.csHigh entropy of concatenated method names: 'EgSyrpMyfurJMCyrIsjumlKCY', 'AfbyDBzvzsXWnTre', 'BgSdVCqgadnKTVPaVohXhqp', 'RCFUmFQCIrJVF', 'edkScYMkfXHwReKGLKrILSw', 'tVNkCcLuVcJDnPOR', 'hXiMpnlsBfzewhMgNYHLbiDLN', 'pUGTwwZKevOKEibsAw', 'PYvxWZqGGWyTW', 'OxRliiDElDQSDUZjjhHzxCuWk'
Source: Defender.exe.0.dr, ueHNMdjwjYBvgC.csHigh entropy of concatenated method names: 'KVvAMKuWDzYAKXvnmxTAjYSYH', 'HXDGRMJZqUXHDFzIEOodZY', 'lOxMCNlCXtXCXSwiLrkgaP', 'uOBbUEkdOjjSrTzGLFR', 'OfCbpHgcmo', 'NWjDyBlQynPJToAEOMkYbJO', 'OMZmMXIrasVwIQB', 'aoSMyWjnpCR', 'CPPDHSombzDbfX', 'bSDwyLeymqBSsclwKGsp'
Source: Defender.exe.0.dr, VgiXrAmmXM.csHigh entropy of concatenated method names: 'RlSpcTxUImVHRJThXP', 'UFtJFrybKqoQQdWbgICKPSM', 'PAZQNYTOWgsWXcMy', 'rneUWEdvinYVFcBsZtF', 'iOmWZtklADDvEfX', 'izsvvVekutRDrdyiHfw', 'BHvdTruejdQZEVJaBJW', 'jBcfbguXFVoYj', 'ebEPcDbAAQcrzVTXhxJjtzeP', 'mxWYOospJq'
Source: Defender.exe.0.dr, EiphzSFywDsQvfJ.csHigh entropy of concatenated method names: 'UguORtUtzui', 'dkKlBYhllU', 'PQlvpndBHrv', 'ulpsNbUzFBfoNQWBjyB', 'AZfxgyeGWsbIhFQA', 'fUKRUAOlwiYQb', 'IqbeUFrMPwNdNZW', 'HAWpDeqCfYQL', 'QGpuZSSGbwuUTFODrnoPp', 'YumPezZyvofczqYioH'

Persistence and Installation Behavior

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknownExecutable created and started: C:\Windows\System32\Defender.exe
Source: C:\Users\user\Desktop\DkvES47bkt.exeFile created: C:\Windows\System32\Defender.exeJump to dropped file
Source: C:\Users\user\Desktop\DkvES47bkt.exeFile created: C:\Windows\System32\Defender.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Defender.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = &apos;Camera&apos;
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = &apos;Camera&apos;
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = &apos;Camera&apos;
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE PNPClass = &apos;Camera&apos;
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\DkvES47bkt.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeMemory allocated: 1A7D0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\Defender.exeMemory allocated: D50000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\Defender.exeMemory allocated: 1A6E0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\Defender.exeMemory allocated: 900000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\Defender.exeMemory allocated: 1A370000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\Defender.exeMemory allocated: 730000 memory reserve | memory write watch
Source: C:\Windows\System32\Defender.exeMemory allocated: 1A610000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\DkvES47bkt.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exe TID: 4596Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\DkvES47bkt.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: Amcache.hve.14.drBinary or memory string: VMware
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Defender.exe, 00000010.00000002.2760971532.000000001AF40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.drBinary or memory string: vmci.sys
Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.drBinary or memory string: VMware20,1
Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Defender.exe, 00000013.00000002.3343729928.000000001B0D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0,
Source: Defender.exe, 00000009.00000002.2353890158.000000001B1A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\Defender.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\Defender.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\Defender.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\Defender.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\Defender.exeProcess queried: DebugPort
Source: C:\Windows\System32\Defender.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\Defender.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\Defender.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\Defender.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\DkvES47bkt.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=",%MUc}<NcMKXc_" dir=in action=allow program="C:\Windows\System32\Defender.exe" enable=yes & exitJump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess created: C:\Windows\System32\cmd.exe "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exitJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\DkvES47bkt.exeQueries volume information: C:\Users\user\Desktop\DkvES47bkt.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\Defender.exeQueries volume information: C:\Windows\System32\Defender.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\Defender.exeQueries volume information: C:\Windows\System32\Defender.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\Defender.exeQueries volume information: C:\Windows\System32\Defender.exe VolumeInformation
Source: C:\Users\user\Desktop\DkvES47bkt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Users\user\Desktop\DkvES47bkt.exeProcess created: C:\Windows\System32\cmd.exe "CMD" netsh advfirewall firewall add rule name=",%MUc}<NcMKXc_" dir=in action=allow program="C:\Windows\System32\Defender.exe" enable=yes & exit
Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: DkvES47bkt.exe, 00000000.00000002.2269666000.000000001B0A1000.00000004.00000020.00020000.00000000.sdmp, Defender.exe, 00000009.00000002.2345248529.0000000000892000.00000004.00000020.00020000.00000000.sdmp, Defender.exe, 00000010.00000002.2755503459.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3333411491.00000000007EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe
Source: C:\Users\user\Desktop\DkvES47bkt.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\Defender.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
Windows Management Instrumentation		1
Scheduled Task/Job		11
Process Injection		121
Masquerading		OS Credential Dumping341
Security Software Discovery		Remote Services1
Screen Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Scheduled Task/Job		1
DLL Side-Loading		1
Scheduled Task/Job		11
Disable or Modify Tools		LSASS Memory351
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Archive Collected Data		1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		351
Virtualization/Sandbox Evasion		Security Account Manager213
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586489 Sample: DkvES47bkt.exe Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 40 et-seattle.gl.at.ply.gg 2->40 44 Multi AV Scanner detection for submitted file 2->44 46 .NET source code contains potential unpacker 2->46 48 Machine Learning detection for sample 2->48 50 5 other signatures 2->50 8 DkvES47bkt.exe 2 2->8         started        12 Defender.exe 2 2->12         started        15 Defender.exe 2 2->15         started        17 Defender.exe 2->17         started        signatures3 process4 dnsIp5 38 C:\Windows\System32\Defender.exe, PE32 8->38 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->54 56 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->56 58 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 8->58 62 2 other signatures 8->62 19 cmd.exe 1 8->19         started        22 cmd.exe 1 8->22         started        24 WmiPrvSE.exe 8->24         started        42 et-seattle.gl.at.ply.gg 147.185.221.24, 49783, 49988, 49994 SALSGIVERUS United States 12->42 60 Antivirus detection for dropped file 12->60 26 WerFault.exe 22 16 12->26         started        28 WerFault.exe 16 15->28         started        30 WerFault.exe 17->30         started        file6 signatures7 process8 signatures9 52 Uses schtasks.exe or at.exe to add and modify task schedules 19->52 32 conhost.exe 19->32         started        34 conhost.exe 22->34         started        36 schtasks.exe 1 22->36         started        process10

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
DkvES47bkt.exe61%ReversingLabsByteCode-MSIL.Trojan.Zilla
DkvES47bkt.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\System32\Defender.exe100%AviraTR/Crypt.OPACK.Gen

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
et-seattle.gl.at.ply.gg
147.185.221.24
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0DkvES47bkt.exe, Defender.exe.0.drfalse
      		high
      http://upx.sf.netAmcache.hve.14.drfalse
        		high
        https://sectigo.com/CPS0DkvES47bkt.exe, Defender.exe.0.drfalse
          		high
          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#DkvES47bkt.exe, Defender.exe.0.drfalse
            		high
            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0DkvES47bkt.exe, Defender.exe.0.drfalse
              		high
              http://ocsp.sectigo.com0DkvES47bkt.exe, Defender.exe.0.drfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDkvES47bkt.exe, 00000000.00000002.2266362731.00000000027E6000.00000004.00000800.00020000.00000000.sdmp, Defender.exe, 00000009.00000002.2345921597.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, Defender.exe, 00000010.00000002.2756227532.0000000002386000.00000004.00000800.00020000.00000000.sdmp, Defender.exe, 00000013.00000002.3334172631.0000000002626000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#DkvES47bkt.exe, Defender.exe.0.drfalse
                    		high
                    http://ocsp.sectigo.com0$DkvES47bkt.exe, Defender.exe.0.drfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      147.185.221.24
                      		et-seattle.gl.at.ply.ggUnited States
                      		12087SALSGIVERUSfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1586489
                      Start date and time:2025-01-09 08:13:11 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 52s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:22
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:DkvES47bkt.exe
                      renamed because original name is a hash value
                      Original Sample Name:2279710d7e98be4879dd5f1256e6cd51.exe
                      Detection:MAL
                      Classification:mal100.spyw.evad.winEXE@16/14@1/1
                      EGA Information:
                      • Successful, ratio: 50%
                      HCA Information:
                      • Successful, ratio: 82%
                      • Number of executed functions: 63
                      • Number of non-executed functions: 3
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.42.65.92, 13.107.246.45, 52.149.20.212, 40.126.32.138
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target Defender.exe, PID 2496 because it is empty
                      • Execution Graph export aborted for target DkvES47bkt.exe, PID 5012 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.
                      • VT rate limit hit for: DkvES47bkt.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      02:14:26API Interceptor3x Sleep call for process: WerFault.exe modified
                      08:14:21Task SchedulerRun new task: WindowsAPI path: C:\Windows\System32\Defender.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      147.185.221.24startup_str_466.batGet hashmaliciousXWormBrowse
                        Fixer.exeGet hashmaliciousRedLine, SheetRatBrowse
                          Fixer.exeGet hashmaliciousRedLineBrowse
                            spreadmalware.exeGet hashmaliciousXWormBrowse
                              7fqul5Zr8Y.exeGet hashmaliciousUnknownBrowse
                                loader.exeGet hashmaliciousUnknownBrowse
                                  loader.exeGet hashmaliciousUnknownBrowse
                                    P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                      BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                                        SharkHack.exeGet hashmaliciousXWormBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          et-seattle.gl.at.ply.ggFixer.exeGet hashmaliciousRedLine, SheetRatBrowse
                                          • 147.185.221.24
                                          Fixer.exeGet hashmaliciousRedLineBrowse
                                          • 147.185.221.24

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SALSGIVERUSstartup_str_466.batGet hashmaliciousXWormBrowse
                                          • 147.185.221.24
                                          Fixer.exeGet hashmaliciousRedLine, SheetRatBrowse
                                          • 147.185.221.24
                                          Fixer.exeGet hashmaliciousRedLineBrowse
                                          • 147.185.221.24
                                          spreadmalware.exeGet hashmaliciousXWormBrowse
                                          • 147.185.221.24
                                          7fqul5Zr8Y.exeGet hashmaliciousUnknownBrowse
                                          • 147.185.221.24
                                          miori.arm.elfGet hashmaliciousUnknownBrowse
                                          • 147.168.252.34
                                          miori.m68k.elfGet hashmaliciousUnknownBrowse
                                          • 147.184.86.253
                                          loader.exeGet hashmaliciousUnknownBrowse
                                          • 147.185.221.24
                                          loader.exeGet hashmaliciousUnknownBrowse
                                          • 147.185.221.24
                                          My33xbeYIX.exeGet hashmaliciousNjratBrowse
                                          • 147.185.221.16

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Defender.exe_37119e868656c0c54ca5ced9748d260d6f119_8cca7515_9039e70a-6e39-4b6f-8257-47a48fc08bbb\Report.wer

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):1.1704823649326528
                                          Encrypted:false
                                          SSDEEP:384:4F4n6PLpFYaGbaJV2BtzuiFcFY4lO8Cv:4F4ILpFYaqaS7zuiFcFY4lO8I
                                          MD5:470BCC659558F2C9D4E5F0AA905E6F50
                                          SHA1:365A425CB5E15BC44E60101AC69E6FD94126E059
                                          SHA-256:6353E222675C6D42FC608FEDD0EDD8AA10B8F16341FF9B37FDB88F7335FFA7EE
                                          SHA-512:75ABEC0ECF020A52A2183F1EE029FFF20E56DCC8B982882FCEB8A18D1CB063A6A8E24A9CA0DFAB4961283AF4E368D968F6C8D5BE6732FE3DB93268F9F9929478
                                          Malicious:false
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.8.0.5.0.5.0.3.0.9.3.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.8.0.5.0.5.6.4.0.3.1.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.3.9.e.7.0.a.-.6.e.3.9.-.4.b.6.f.-.8.2.5.7.-.4.7.a.4.8.f.c.0.8.b.b.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.6.d.5.e.e.8.-.9.8.f.2.-.4.2.8.a.-.8.c.7.9.-.4.5.4.9.2.9.4.1.2.7.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.D.e.f.e.n.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.e.x.p.l.o.r.e.r.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.8.0.-.0.0.0.1.-.0.0.1.5.-.4.1.2.c.-.1.0.3.3.6.6.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.b.2.d.2.2.6.2.1.1.6.2.7.4.7.9.8.d.d.2.2.9.9.9.3.7.1.d.9.c.5.6.0.0.0.0.0.0.0.0.!.0.0.0.0.6.f.0.4.6.9.c.f.9.c.d.d.0.1.4.6.e.8.7.c.c.4.b.d.6.c.0.3.0.3.8.e.a.b.0.2.7.9.a.9.!.D.e.f.e.n.d.e.r...e.x.e.....T.a.r.

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Defender.exe_37119e868656c0c54ca5ced9748d260d6f119_8cca7515_b0270726-9634-4791-8b08-7efed4cb0f32\Report.wer

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):1.1705175079903687
                                          Encrypted:false
                                          SSDEEP:384:rg4n5PLpFYaGbaRVB4tzuiFcQY4lO8Cv:rg4xLpFYaqal6zuiFcQY4lO8I
                                          MD5:2524DCEC7882B74B1DF34123049B529A
                                          SHA1:069C8FD387B6EE0E76350B6BC7791AB18A87775E
                                          SHA-256:0DED223BD8ADB14B83E61FB165AB86757DBB008627D1069E0CF29D4C9AFB36CD
                                          SHA-512:58D35C47817CE5B92D88E327245EC76C7528CFBD17ECAD1E8B2E30ADD218378DB9CEDB6D5F7FD45B33A12663C6E0AF26781C7F8FC5361844E6CA5BFC8EC17368
                                          Malicious:false
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.8.0.5.6.2.8.5.4.5.6.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.8.0.5.6.3.5.1.0.7.8.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.2.7.0.7.2.6.-.9.6.3.4.-.4.7.9.1.-.8.b.0.8.-.7.e.f.e.d.4.c.b.0.f.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.c.e.c.c.7.0.-.9.e.6.8.-.4.b.b.8.-.a.f.9.0.-.8.a.a.4.2.8.f.7.5.1.0.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.D.e.f.e.n.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.e.x.p.l.o.r.e.r.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.0.c.-.0.0.0.1.-.0.0.1.5.-.6.e.8.c.-.a.2.5.5.6.6.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.b.2.d.2.2.6.2.1.1.6.2.7.4.7.9.8.d.d.2.2.9.9.9.3.7.1.d.9.c.5.6.0.0.0.0.0.0.0.0.!.0.0.0.0.6.f.0.4.6.9.c.f.9.c.d.d.0.1.4.6.e.8.7.c.c.4.b.d.6.c.0.3.0.3.8.e.a.b.0.2.7.9.a.9.!.D.e.f.e.n.d.e.r...e.x.e.....T.a.r.

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Defender.exe_37119e868656c0c54ca5ced9748d260d6f119_8cca7515_c04158db-fda0-4063-8f15-996517c78d91\Report.wer

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):1.1769540793930429
                                          Encrypted:false
                                          SSDEEP:384:RS3UX4niPLpFYaGbaaOUWhzuiFcFY4lO8Cv:MUX4ALpFYaqaqgzuiFcFY4lO8I
                                          MD5:BB8B37D1C119FC7F57A8CBD12D998DB7
                                          SHA1:C5F1DE0471493407029CA704B78827F46C5E1B9D
                                          SHA-256:7EBC080C8ADBC61176A5D157332B5A94708BA0078476EB6E5EB28D2E0499DCAD
                                          SHA-512:4BA0530332A880967167D785C64BB14EF6078A2FCABF0B3D299DB2B202AB6C6FCBD0C70AF62E2203B5BFF93278422D3F8D683A057300F94479345B18FC9CCA33
                                          Malicious:false
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.8.0.4.6.4.3.4.0.2.1.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.8.0.4.6.4.8.7.1.4.5.6.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.4.1.5.8.d.b.-.f.d.a.0.-.4.0.6.3.-.8.f.1.5.-.9.9.6.5.1.7.c.7.8.d.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.0.8.4.8.7.c.-.1.4.a.c.-.4.7.6.6.-.8.7.f.f.-.a.8.1.6.5.b.d.c.b.f.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.D.e.f.e.n.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.e.x.p.l.o.r.e.r.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.c.0.-.0.0.0.1.-.0.0.1.5.-.3.d.2.2.-.9.b.1.a.6.6.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.b.2.d.2.2.6.2.1.1.6.2.7.4.7.9.8.d.d.2.2.9.9.9.3.7.1.d.9.c.5.6.0.0.0.0.0.0.0.0.!.0.0.0.0.6.f.0.4.6.9.c.f.9.c.d.d.0.1.4.6.e.8.7.c.c.4.b.d.6.c.0.3.0.3.8.e.a.b.0.2.7.9.a.9.!.D.e.f.e.n.d.e.r...e.x.e.....T.a.r.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER3811.tmp.dmp

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Mini DuMP crash report, 16 streams, Thu Jan 9 07:14:24 2025, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):383388
                                          Entropy (8bit):3.6214504599798745
                                          Encrypted:false
                                          SSDEEP:6144:eakCvbpg7o+8XlqV3QxbbkUNjh3t05yJlkX+O:ea3q5QxbbB5h3tKX
                                          MD5:377312B51BE8285C34BC8B09C294B4E7
                                          SHA1:8AEBDE36A61F0E9762D2521C5C40A3D3261B1EE6
                                          SHA-256:A90C54833EC3679ED18AF7EFADC9CE6C5E7F24A5BD198A358005605EEACF6822
                                          SHA-512:73EE61874017EBF8BDC68A229C6E5D52CA3E44F14E1F1ADCDF3ABE575C36B63A2510ED66F781B9087186955FFB7D803260E8315DDB89D57BC1C638FD76DB9AED
                                          Malicious:false
                                          Preview:MDMP..a..... .......Pw.g........................ ...........$....%...........&.......>.. q..........l.......8...........T...........p6..,............6...........7..............................................................................eJ.......8......Lw......................T...........Mw.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER397A.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8606
                                          Entropy (8bit):3.6922670753817313
                                          Encrypted:false
                                          SSDEEP:192:R6l7wVeJn8Yr6YENsYMgmfZ8lAYprO89bzZ+fZVxm:R6lXJ8k6YEWzgmfuldzwfZa
                                          MD5:56C011ABE2FE0BF7737BD3527305439C
                                          SHA1:28DB5A20CAAA8978B813E5AC6D5A66684F6FEDE9
                                          SHA-256:212DB44FA16F59627001C126E8666DB49979FFF46B5C57A89C5F6AE532E095DE
                                          SHA-512:4F5F945733A6DDF844323BAC7F72FAE69EA452A5139EC96643DF682FEE713B51F229472C0C42AB34142CBC75E2E0B6D3546CDDE514E41D3F31AFA766667E769F
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.9.6.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER39AA.tmp.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4809
                                          Entropy (8bit):4.453758471383588
                                          Encrypted:false
                                          SSDEEP:48:cvIwWl8zsENJg771I9OZWpW8VYnYm8M4JC0qnZ9FRyq8vz0qnZE0lrquHod:uIjfoI7lo7VLJC0KZJWz0KZE0AuHod
                                          MD5:770280803A00014BACA0EC7BE9ABAF9D
                                          SHA1:F89DAE413C3B458335C59E1E69FDAEAF4FD788C7
                                          SHA-256:39F6A1A208589E9267A7EB26E44C4DEDB71E120CE0AE60ACB87901854ED2016F
                                          SHA-512:25D91968BA275771C8381FFDC0812C306652CE0168D5EFA6FA65296B8170E5613D3FB9ACCB61D6C2F78CA6DB0CC7C6F61A9AF69C86C84353ECD5A9F46B99C722
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668057" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERB914.tmp.dmp

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Mini DuMP crash report, 16 streams, Thu Jan 9 07:16:03 2025, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):385904
                                          Entropy (8bit):3.593448450609726
                                          Encrypted:false
                                          SSDEEP:3072:/GVOjj/Nv2OysWk14rW50mcSkBPaoE8qEYD1CCquRu3+v1Ju3XaUr3:uVOjj/NvDyat6K8qrbqIu3Q1Ju3XZ
                                          MD5:3A4627ACAA69B096A8F2A9302BDC1E7E
                                          SHA1:37F0D88DA9AA65F6AA02F2D6292893D8F27A4B87
                                          SHA-256:9ED51BE4EBCB80AD4F49693D70884CAF7D4B49CC922CB0D8B7E3D9B3799653A7
                                          SHA-512:2500997204C7B6A0FB5AB083CDD0B32A158F34F706ED47AE595356DEDC09BE2C742D5112EA0C4F42072613217B05FA6D6136A8429EAC0901BB0E465B4FE111DE
                                          Malicious:false
                                          Preview:MDMP..a..... ........w.g....................................$....%...........%.......>...p..........l.......8...........T............5..............5...........7..............................................................................eJ.......8......Lw......................T............w.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA5D.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8802
                                          Entropy (8bit):3.6946084754985784
                                          Encrypted:false
                                          SSDEEP:192:R6l7wVeJuB06YENTAigmfZ8lAYprQ89b8L0f50m:R6lXJg06YE5Vgmfuln8If/
                                          MD5:88A5C50999108C84D48C15E8B10119C5
                                          SHA1:3EB0262ECB24104E821DA19E8290D8C2605C2D17
                                          SHA-256:14FF27575B8F97B994130DB19F4E5085C65980A40D6AFC9D242C0DB3C8510CD9
                                          SHA-512:1570BF4FF3FA3E593CACF93F9521A72ABC002DCD347ACC92CE5DCE4752C5FD4D9E870C30AAF10B6DB297B5A5115D98F3F25C73AF81D40D6ABDEC31EF579E1BEC
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.6.2.0.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERBADB.tmp.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4809
                                          Entropy (8bit):4.452619477784862
                                          Encrypted:false
                                          SSDEEP:48:cvIwWl8zsjJg771I9OZWpW8VYjYm8M4JC0qnZ9Fgyq8vz0qnZN0lrquHnd:uIjf9I7lo7VbJC0KZIWz0KZN0AuHnd
                                          MD5:384534865D6FE8B442F41FFC977608E3
                                          SHA1:C750F3C37C84020B8DDEACCCAC901DAABC5F01A3
                                          SHA-256:53320EA5513ECCB12BA9BC21F7D2C6E045972E17E4ED2AC450ECB4A7CCDD3A67
                                          SHA-512:0EFFD6C0C2CF16E72110DA5B45AB34C030A41DC8FEBB002C65BB3D62048CE7870EF5E223083D11A4CFD8B2EBA7E84F6870F7FA878609D15E1A0E114C912B8675
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668058" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD73F.tmp.dmp

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:Mini DuMP crash report, 16 streams, Thu Jan 9 07:15:05 2025, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):379694
                                          Entropy (8bit):3.639915804062035
                                          Encrypted:false
                                          SSDEEP:6144:cP60PdPlMXe0Kaqr3QVuZS0NEXJ7YXXb:nqrQmS0W0
                                          MD5:EDEC9B30B211AC2060FAD922DF844A65
                                          SHA1:71A31B8B6721FC4B089E4E11D347D58D58318B62
                                          SHA-256:ECF8F3006EF5F15085CE8EE43F0C02CC8ECDAD780A3695852B1E6FC5E8E6C403
                                          SHA-512:449B4E090B22845DCB30DEF2EFF54EE70B0F50D9C12456B84858B475B05F3BAE54A7B67D59C204FD1B59EC766670428BC864994BB442376B2576C3F2AF41E06D
                                          Malicious:false
                                          Preview:MDMP..a..... .......yw.g....................................$....%...........%.......>...p..........l.......8...........T............5..^............5...........7..............................................................................eJ.......8......Lw......................T...........vw.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD82B.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8802
                                          Entropy (8bit):3.694392639243566
                                          Encrypted:false
                                          SSDEEP:192:R6l7wVeJpyKF6YENoDQgmfZ8lAYprH89bpH0f1jm:R6lXJ8A6YEy0gmfulCpUf8
                                          MD5:605FF31F81EFD7169942556118A4A3E5
                                          SHA1:593FAFA593BBF0EA9019DFC95B5BE31891D4FE4A
                                          SHA-256:D52A7E7EEA1CD7514EFAA873E34D1A5E9F0994FC070568886B9F18186D33826E
                                          SHA-512:11324DF8A860B4F77BF765DF1A51FE3B005835CA8243B78CFC8516412195A5B5DBF08C65E18DDC10EDE383F0735FA174BC6D27B0F51B2705D37B0E70628394CD
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.3.2.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD86A.tmp.xml

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4809
                                          Entropy (8bit):4.455165498886037
                                          Encrypted:false
                                          SSDEEP:48:cvIwWl8zsENJg771I9OZWpW8VYCnvYm8M4JC0qnZ9FZefyq8vz0qnZc0lrquHgd:uIjfoI7lo7VZnyJC0KZIWz0KZc0AuHgd
                                          MD5:8A3C9C3906CA9BCB07F1B7E34E11895F
                                          SHA1:344B52C2E8E4A9D5D3B48753504E20AE00D0F1E4
                                          SHA-256:AE9CD8F96934B56E7A8CEF276AB5D56EAC0C3C20AFA4AA25D763522BBBDAA4D2
                                          SHA-512:89A0096D4E70ABE42DE2790E0F4EB66374D56B909E60ED21EA553512D7A8CA4610893F66D5DFDE13A93E49329B5AC0C50A69FD2B64C2A2B3362CAD28CD2D9A8E
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668057" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                          C:\Windows\System32\Defender.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\DkvES47bkt.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):756421863
                                          Entropy (8bit):0.0077667893541988635
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:1ED3FDE9037B9FEAB60CCF4E571B07BB
                                          SHA1:AFAF5AD0B26226C23D39166F13F398FA8B71E585
                                          SHA-256:26F1CD04863D9193C858A60FE9E71851FCA55A54BC40CB1EF6F3E199A2016364
                                          SHA-512:0A38C653B6561C4D3E9207FB75AE03D8F2B5393719446009026BBA4A2A3A374E05A90C70F2C4F737016695C77DCCABF1147F2AFE6D62064F4636C2F78A0B6AF9
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s][f............................./... ...@....@.. .......................@............@.....................................O....@..................H$... ....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc....... ......................@..B........................H........... _...........................................................W.......4...f.2..W.....H3......3.......".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....*".(.....

                                          C:\Windows\appcompat\Programs\Amcache.hve

                                          Download File
                                          Process:C:\Windows\System32\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):1835008
                                          Entropy (8bit):4.469213413800664
                                          Encrypted:false
                                          SSDEEP:6144:NzZfpi6ceLPx9skLmb0f8ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNDjDH5S:FZHt8ZWOKnMM6bFppj4
                                          MD5:9ACCFEA9BC07B3A7755F83584362B31A
                                          SHA1:E82C8802755589D63B0E0AA1E6C1E23EA3B92A98
                                          SHA-256:44E88DA301267B572900976793122EAADFE89F23522A7D87118C60650F9F89B0
                                          SHA-512:52E1F1301D44DAE90E57E7967A7BE0FD1CC4DB4773B37C128703A0C9E652B4155E9076C4832BC27E2BEAAEDF69B74287E5E83FA8F2155FC64AFBEC3BFCB08301
                                          Malicious:false
                                          Preview:regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZoz.fb...............................................................................................................................................................................................................................................................................................................................................gl(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.187876039673124
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                          • Win32 Executable (generic) a (10002005/4) 49.93%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:DkvES47bkt.exe
                                          File size:398'567 bytes
                                          MD5:2279710d7e98be4879dd5f1256e6cd51
                                          SHA1:da329d9800345202e606c80ae204e43c31fa515b
                                          SHA256:d46745c119fed12e116f9fe733bea4a562960f1bf86c4846132ad589ac8b65d1
                                          SHA512:748372fabaf15bc3d8b963b8cfec9cac1e3f69e0cbd22b3998d3b72fb62bce03e2ffde1c622cdd3b86c1915aa78e211568a81d8a004dda15d8f5d3ff7c3be125
                                          SSDEEP:6144:udqn92Oey3hWpanij1Ck6QQWFti9Ez2bDLujYzYm12JLXUsGytEqQ:uIn92O335ijomti9EzsOJL+UEq
                                          TLSH:7384F8253FA58E10D584247ECA7E3A09CB26E4F1260263433B0AF7A15D459DEDE2D3DB
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s][f............................./... ...@....@.. .......................@............@................................

                                          File Icon

                                          Icon Hash:00146a70b1290200

                                          Static PE Info

                                          General

                                          Entrypoint:0x452f0e
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x665B5D73 [Sat Jun 1 17:42:11 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Authenticode Signature

                                          Signature Valid:
                                          Signature Issuer:
                                          Signature Validation Error:
                                          Error Number:
                                          Not Before, Not After
                                            Subject Chain
                                              Version:
                                              Thumbprint MD5:
                                              Thumbprint SHA-1:
                                              Thumbprint SHA-256:
                                              Serial:

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x52ebc0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000xdb84.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x5f0000x2448.rsrc
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x50f140x51000deae01dea4bd282363cbd1471f55f434False0.4614137249228395SysEx File -5.642674727388349IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x540000xdb840xdc0090026b2f462557b685a94dfbd72c48e1False0.9482244318181818data7.9334691491605085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x620000xc0x200416a1794761209108f17c289732a5586False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x542500x30fPNG image data, 16 x 16, 8-bit/color RGB, non-interlaced1.0140485312899106
                                              RT_ICON0x545600x495PNG image data, 24 x 24, 8-bit/color RGB, non-interlaced1.0093776641091219
                                              RT_ICON0x549f80x669PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced1.0067032297379646
                                              RT_ICON0x550640xb1cPNG image data, 48 x 48, 8-bit/color RGB, non-interlaced1.0038677918424754
                                              RT_ICON0x55b800x1108PNG image data, 64 x 64, 8-bit/color RGB, non-interlaced1.0025229357798164
                                              RT_ICON0x56c880x2e11PNG image data, 128 x 128, 8-bit/color RGB, non-interlaced1.000932756720088
                                              RT_ICON0x59a9c0x7ab8PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced1.0005092946269416
                                              RT_GROUP_ICON0x615540x68data0.7403846153846154
                                              RT_VERSION0x615bc0x3dcdata0.47469635627530365
                                              RT_MANIFEST0x619980x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 9, 2025 08:14:24.336725950 CET4978361069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:14:24.341521978 CET6106949783147.185.221.24192.168.2.6
                                              Jan 9, 2025 08:14:24.341623068 CET4978361069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:14:24.368258953 CET4978361069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:14:24.372997046 CET6106949783147.185.221.24192.168.2.6
                                              Jan 9, 2025 08:14:28.887413979 CET4978361069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:15:04.618900061 CET4998861069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:15:04.623874903 CET6106949988147.185.221.24192.168.2.6
                                              Jan 9, 2025 08:15:04.624056101 CET4998861069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:15:04.631064892 CET4998861069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:15:04.635848999 CET6106949988147.185.221.24192.168.2.6
                                              Jan 9, 2025 08:15:09.087198973 CET4998861069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:16:02.366538048 CET4999461069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:16:02.371442080 CET6106949994147.185.221.24192.168.2.6
                                              Jan 9, 2025 08:16:02.371532917 CET4999461069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:16:02.375936985 CET4999461069192.168.2.6147.185.221.24
                                              Jan 9, 2025 08:16:02.380788088 CET6106949994147.185.221.24192.168.2.6
                                              Jan 9, 2025 08:16:07.450014114 CET4999461069192.168.2.6147.185.221.24

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 9, 2025 08:14:24.319026947 CET5572953192.168.2.61.1.1.1
                                              Jan 9, 2025 08:14:24.331640959 CET53557291.1.1.1192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 9, 2025 08:14:24.319026947 CET192.168.2.61.1.1.10x364dStandard query (0)et-seattle.gl.at.ply.ggA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 9, 2025 08:14:24.331640959 CET1.1.1.1192.168.2.60x364dNo error (0)et-seattle.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:02:14:03
                                              Start date:09/01/2025
                                              Path:C:\Users\user\Desktop\DkvES47bkt.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\DkvES47bkt.exe"
                                              Imagebase:0x4f0000
                                              File size:398'567 bytes
                                              MD5 hash:2279710D7E98BE4879DD5F1256E6CD51
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:02:14:18
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff717f30000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:02:14:18
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"CMD" netsh advfirewall firewall add rule name=",%MUc}<NcMKXc_" dir=in action=allow program="C:\Windows\System32\Defender.exe" enable=yes & exit
                                              Imagebase:0x7ff727760000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:02:14:18
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:5
                                              Start time:02:14:18
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST & exit
                                              Imagebase:0x7ff727760000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:02:14:18
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:02:14:18
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:schtasks /create /f /sc minute /mo 1 /tn "Microsoft\WindowsAPI" /tr "C:\Windows\System32\Defender.exe" /RL HIGHEST
                                              Imagebase:0x7ff7dcca0000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:02:14:23
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\Defender.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\Defender.exe
                                              Imagebase:0x3b0000
                                              File size:756'421'863 bytes
                                              MD5 hash:1ED3FDE9037B9FEAB60CCF4E571B07BB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:02:14:24
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 2496 -s 1300
                                              Imagebase:0x7ff6e7360000
                                              File size:570'736 bytes
                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:02:15:03
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\Defender.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\Defender.exe
                                              Imagebase:0x170000
                                              File size:756'421'863 bytes
                                              MD5 hash:1ED3FDE9037B9FEAB60CCF4E571B07BB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:02:15:04
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 2432 -s 1368
                                              Imagebase:0x7ff6e7360000
                                              File size:570'736 bytes
                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:02:16:01
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\Defender.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\Defender.exe
                                              Imagebase:0x1a0000
                                              File size:756'421'863 bytes
                                              MD5 hash:1ED3FDE9037B9FEAB60CCF4E571B07BB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:02:16:02
                                              Start date:09/01/2025
                                              Path:C:\Windows\System32\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 4620 -s 1360
                                              Imagebase:0x7ff6e7360000
                                              File size:570'736 bytes
                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFD3454833A Relevance: 1.1, Instructions: 1062COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7cbbf7639a056b612ebdf5e0c5dffd5406daedf2f65cc200ec53aa9c870985a
                                                • Instruction ID: c7572b6835b6d3dbb8df3ec5516c7ba924fdba554d970ca7a22870fe47380669
                                                • Opcode Fuzzy Hash: f7cbbf7639a056b612ebdf5e0c5dffd5406daedf2f65cc200ec53aa9c870985a
                                                • Instruction Fuzzy Hash: CE82D210F4D6970FE7ABA37448B51763BA19F53311F8904B6C689CF2D3ED1C681A9392
                                                Function 00007FFD34548559 Relevance: .5, Instructions: 503COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 716db69f10584f1c234340640c0faa2df0d85c23f94408128c5610a64fb52432
                                                • Instruction ID: 3f897d0679c6a52da86191cf9a236cdc9b6af50da6ac99b4a78dd4425722b44c
                                                • Opcode Fuzzy Hash: 716db69f10584f1c234340640c0faa2df0d85c23f94408128c5610a64fb52432
                                                • Instruction Fuzzy Hash: A2027324F2C81B07FBEEE26894F627A61819F56315FD01934D60DCF3D6ED2CB916A281
                                                Function 00007FFD3454C7E6 Relevance: .5, Instructions: 468COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4eb2eb3d4813f9ae8cc53eaf83c2ab58e0728098d9fd10b10802eb2d177edc54
                                                • Instruction ID: 14e0d29fbf3478608287d359fac0d9e959d0ea4e353ad035306038178e82632b
                                                • Opcode Fuzzy Hash: 4eb2eb3d4813f9ae8cc53eaf83c2ab58e0728098d9fd10b10802eb2d177edc54
                                                • Instruction Fuzzy Hash: FFF1A530A08A4D8FEBA9DF28C8557E977E1FF95310F04427EE84DC7295DB38A9418B81
                                                Function 00007FFD3454D592 Relevance: .5, Instructions: 454COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af40b926abe195acf69cd05f8b0af3057c1d17e2e5924c89be161ab56cec19d0
                                                • Instruction ID: e66496a940e4ac2b82a607ac274b4a72c0a0185f6fe64ad6f3118c7a0c668dea
                                                • Opcode Fuzzy Hash: af40b926abe195acf69cd05f8b0af3057c1d17e2e5924c89be161ab56cec19d0
                                                • Instruction Fuzzy Hash: 3AE19430A08A4E8FEBA9DF28C8557E977E1FF55310F14427AD84DC7291DE78A8458B81
                                                Function 00007FFD34548E30 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09da1d483c31c1d79127cd67b9716f6b4676bc12c1a2ee5d35cb278db862d5f8
                                                • Instruction ID: df35f46ffc26fd5358c3d92c1c3ff995b0017719c6c41cde81087a4dd73db9dd
                                                • Opcode Fuzzy Hash: 09da1d483c31c1d79127cd67b9716f6b4676bc12c1a2ee5d35cb278db862d5f8
                                                • Instruction Fuzzy Hash: DD616B39F2C01315FBBFA128C8E61B671829F63315F542578C74CCE3D1AE2DB96A61A1
                                                Function 00007FFD34546CFA Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: `KC4$#CO_^
                                                • API String ID: 0-1589009564
                                                • Opcode ID: adc9bcef7a0ee169791fe4603b6eb0493f112d99fdf616d44c6d7139aed0cfb4
                                                • Instruction ID: 56f9c44e1e85dd02ef367f5e406afaa8df9774272498576bd58d92dd91272c1d
                                                • Opcode Fuzzy Hash: adc9bcef7a0ee169791fe4603b6eb0493f112d99fdf616d44c6d7139aed0cfb4
                                                • Instruction Fuzzy Hash: CBC19F21B1CA194BEB99EB6894A17BAB3D2FF9A310F500579E54DC72D2CE2CFC418741
                                                Function 00007FFD345508FA Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ;N_^
                                                • API String ID: 0-3449437470
                                                • Opcode ID: b2f8fc2dc76521dc54d06e57a6794669fb4f87c81a879c4e61dbfd75952be079
                                                • Instruction ID: 0cc45ce1d65edad502fba8fb9c3e5641aea4f0a309b03eaa4c065b02428a2780
                                                • Opcode Fuzzy Hash: b2f8fc2dc76521dc54d06e57a6794669fb4f87c81a879c4e61dbfd75952be079
                                                • Instruction Fuzzy Hash: 0A412B33F1C9651FE769966CA4A51F927D1EFA5B20B0401BED24ED7297DD28EC028381
                                                Function 00007FFD34550489 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ?N_^
                                                • API String ID: 0-1123592777
                                                • Opcode ID: 6b9a7ddd89873341e07cedcd47f126c2ea288e564b08ce1c265616ac2515240f
                                                • Instruction ID: 8dd9b5566b236ad0dba5d9f5b3308288e337062518830c888c5aefa84c398fc7
                                                • Opcode Fuzzy Hash: 6b9a7ddd89873341e07cedcd47f126c2ea288e564b08ce1c265616ac2515240f
                                                • Instruction Fuzzy Hash: EA112B22A0E7C65FEB17676868B10F63FA1DF57328B0901F7D58CCA1A3D80C98068352
                                                Function 00007FFD3454C2E9 Relevance: .4, Instructions: 406COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3df9c2756613a8634fda86157dcebceb812cacd73ea25b4c6dc442cf5fa3337
                                                • Instruction ID: 465a3a16f70f03a45b26c019f6882fa7ea9085a93734c61c5ae105b2cb81e4dc
                                                • Opcode Fuzzy Hash: f3df9c2756613a8634fda86157dcebceb812cacd73ea25b4c6dc442cf5fa3337
                                                • Instruction Fuzzy Hash: 06D1A630A08A8D8FEB69DF28D8557E977E1FF55311F04427EE84DC7291CB78A9418B82
                                                Function 00007FFD3454E949 Relevance: .4, Instructions: 374COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5d622cdc59d088ddc4cef005eb01d784c64ab2735c61d2d14e64befb7bf3230
                                                • Instruction ID: 7685d2dd1feda587b646afe6a676d89506bb66b1bef75bc736685158b7364b81
                                                • Opcode Fuzzy Hash: a5d622cdc59d088ddc4cef005eb01d784c64ab2735c61d2d14e64befb7bf3230
                                                • Instruction Fuzzy Hash: 80B1C130F58A094FEB95EBA888A67F977E2EF9A311F04417AD10DC73D2DD2CA8418741
                                                Function 00007FFD3454D1A6 Relevance: .3, Instructions: 327COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5c29a358fdc2f6b2b1788f55e3946b73394fe20e743cc2923a63a0a03607eebc
                                                • Instruction ID: bdadd201b9d0b6ff0baaaad8b7ee15f4f049950798ebb688faec028fa2571d1e
                                                • Opcode Fuzzy Hash: 5c29a358fdc2f6b2b1788f55e3946b73394fe20e743cc2923a63a0a03607eebc
                                                • Instruction Fuzzy Hash: 9EB1A930A08A4D4FEB69DF28D8557E93BE1FF55310F14427EE84DC7291CA78A945CB82
                                                Function 00007FFD3454F4BD Relevance: .3, Instructions: 295COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb6bc8cf249f11c107b3b5fe037a4b7b3e57d5f873d761e4550cc6346afe82b2
                                                • Instruction ID: b8b36ec0b6427f7237446652801f8c84480aefdba48d27d48f769d11583fd871
                                                • Opcode Fuzzy Hash: fb6bc8cf249f11c107b3b5fe037a4b7b3e57d5f873d761e4550cc6346afe82b2
                                                • Instruction Fuzzy Hash: FF919432FA890A4FF3E5A36C84A277962D2EB8D321F5501B5D10CD73D2CD2DAC425341
                                                Function 00007FFD3454A0DC Relevance: .2, Instructions: 195COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fe1c177fbf2b4bf3e12c48d56661010e3ad44617dd90f413fd3c7902bb174cb
                                                • Instruction ID: 201f6447928ae407781edd0ecf77755c74d657e90ddf0128a2fdc1478e154d11
                                                • Opcode Fuzzy Hash: 8fe1c177fbf2b4bf3e12c48d56661010e3ad44617dd90f413fd3c7902bb174cb
                                                • Instruction Fuzzy Hash: DC518430D08A1C8FDB69DF58D855BE9BBF1FB59310F1082AAD04DE3252DE34A9858F81
                                                Function 00007FFD345506D0 Relevance: .2, Instructions: 192COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c7a6575dc181d86280e5ea8bc2d7253e423fba7a95350ded8bcee3f3a236d377
                                                • Instruction ID: 134e72fb83b6a6892ed1c1da1ab0640753075fc3667b7857f2edfe507a6c9567
                                                • Opcode Fuzzy Hash: c7a6575dc181d86280e5ea8bc2d7253e423fba7a95350ded8bcee3f3a236d377
                                                • Instruction Fuzzy Hash: 7B51F722F1CA014BF75D971CA8AA67577C6EBAA351F1401BEE54EC32E3DC2DBC424245
                                                Function 00007FFD34550FA0 Relevance: .2, Instructions: 191COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4648edd821bd691c5ebc2df4499a420b2aa12d74b1d70d49da50bfae3459e0a4
                                                • Instruction ID: 61e0dde343f4da24a4d21e59f3b50bd4572ee14cdd2936d12f5d3ff59d7610bf
                                                • Opcode Fuzzy Hash: 4648edd821bd691c5ebc2df4499a420b2aa12d74b1d70d49da50bfae3459e0a4
                                                • Instruction Fuzzy Hash: 9451FC61F1C6491FE75A6629889657A3FD9EF97760F0400BEE08FC3193ED5CA8038752
                                                Function 00007FFD3454F28A Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4383d2674a638d54b34294eec19e003629c4f85e43127a7e8b8ac04e8726071
                                                • Instruction ID: 85c7a3a498c330d09525b5b0fe4ae7b8bbf682f4bb1c3a1e8589361172d2895a
                                                • Opcode Fuzzy Hash: f4383d2674a638d54b34294eec19e003629c4f85e43127a7e8b8ac04e8726071
                                                • Instruction Fuzzy Hash: DD51F422F0DA9A4FE7A7A77C44B51B97BE1EF4A310B0900BAD64DCB293DD1C5C459342
                                                Function 00007FFD3454E0F2 Relevance: .2, Instructions: 182COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41fecebb108bbd89f739999bb2abc5285ab35332427e67d0438cb699e945e6d4
                                                • Instruction ID: cafc3489d0004423b88d1446a1d6b74eed5d77b0debc4a3bae5c7b73c026dd04
                                                • Opcode Fuzzy Hash: 41fecebb108bbd89f739999bb2abc5285ab35332427e67d0438cb699e945e6d4
                                                • Instruction Fuzzy Hash: 7C51DE31F5CA194FEBA9EB6884A96B873E1EF99311F44007AE50DD73D2DD2DAC018340
                                                Function 00007FFD3454A301 Relevance: .2, Instructions: 178COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 714c6d239b9ae166b5e2372b3a92a97cd61e78ea30ff9c0bc8624f157fb73021
                                                • Instruction ID: 0e05e78ff25f7317f4b24f7b49d24f4c55d366f9be38daccf1bdf0c5d9921e3f
                                                • Opcode Fuzzy Hash: 714c6d239b9ae166b5e2372b3a92a97cd61e78ea30ff9c0bc8624f157fb73021
                                                • Instruction Fuzzy Hash: 03510231A0CB4C8FDB29EB68D8567EDBBF1FB55310F1442AED049D3292CA74A845CB81
                                                Function 00007FFD34545200 Relevance: .2, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ae25900490c26f7c9644a94159248126f020b7f8fda58d533dfcea99e799f8a
                                                • Instruction ID: 6324b21d0b6034998e818d58c91939049067a5633cb9053f1a2fc227283cc08b
                                                • Opcode Fuzzy Hash: 3ae25900490c26f7c9644a94159248126f020b7f8fda58d533dfcea99e799f8a
                                                • Instruction Fuzzy Hash: 7941CF31F58A194FEBA8EB6894A56B973D1EF89311F440079E50DE7392DD2DAC418240
                                                Function 00007FFD34545208 Relevance: .2, Instructions: 165COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd1d2a94ca969e60507e4a6783ff841f5b7478a819929a0523ac93271602573a
                                                • Instruction ID: dfdfd9562125e86424a851d96a7fd67438c073ac25d7ae9d091482b7a9e6079b
                                                • Opcode Fuzzy Hash: dd1d2a94ca969e60507e4a6783ff841f5b7478a819929a0523ac93271602573a
                                                • Instruction Fuzzy Hash: 6A41E231F58A194FEBA8EB6C94A56BC72D1EF89311F440079E50DE73D2DD2DAC018340
                                                Function 00007FFD345502E9 Relevance: .2, Instructions: 165COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e8feb235a39351ee6cacdc3e3b660f56d6813917d793104509f7e3c1fa80b44a
                                                • Instruction ID: b4702bfb0d89b4b3212a659157438a5b9569332c1f16228144e78f5985cf214a
                                                • Opcode Fuzzy Hash: e8feb235a39351ee6cacdc3e3b660f56d6813917d793104509f7e3c1fa80b44a
                                                • Instruction Fuzzy Hash: 8151B232E189598FEB85EB68D4B56F877E1FF4A310F0500BAD50EE72D2DA2CAC018741
                                                Function 00007FFD3454F04E Relevance: .2, Instructions: 162COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7da4dd2b6bfe313c49bea557b0d022ca89053a3140dd6975a18efcf82ea0d9a
                                                • Instruction ID: 2217896b0fbec6831d4c688d64903e59dcb8d937b95ebcad76db1c3e1eae0499
                                                • Opcode Fuzzy Hash: b7da4dd2b6bfe313c49bea557b0d022ca89053a3140dd6975a18efcf82ea0d9a
                                                • Instruction Fuzzy Hash: AC513C32F1891A8FEB95EB68D4A96BC73E2EF59311F400175D50EE7392DE2C6C419740
                                                Function 00007FFD34550D20 Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7dfae9fab5ca2ce80089500aeb4d10ae5a014be54d878179803d26c58cf4cfc7
                                                • Instruction ID: 74f57b44759c2beff05d6f5db2a7c10cf2743963e04456fc6d42b6b13c9862c4
                                                • Opcode Fuzzy Hash: 7dfae9fab5ca2ce80089500aeb4d10ae5a014be54d878179803d26c58cf4cfc7
                                                • Instruction Fuzzy Hash: 2B41A331F189094FEB95E72C84A96B83AD1FF9A315F5900BAE14ED3692DD2CEC41D701
                                                Function 00007FFD3454F09F Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a4642363548a6766c52fa9982c72e2080f8b7e063b239d25f0855ef22f6c0e2
                                                • Instruction ID: 4549bbfe9dda18c99f99be18ca3d6c05d95aad1982cb54fc8a11ad165209f990
                                                • Opcode Fuzzy Hash: 6a4642363548a6766c52fa9982c72e2080f8b7e063b239d25f0855ef22f6c0e2
                                                • Instruction Fuzzy Hash: 8E412C32F1891A8FEB95EB6CD8A56BCB2E2EF99311F400179D50DE7392DE2C6C419740
                                                Function 00007FFD3454DFA8 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15cb23ffcbb80e5706e5e9731ec0d74f01fc66616c4a896939862f8255ddb56e
                                                • Instruction ID: a3cf11961bca78b3649ee3fe64a465d3517013934bf51f2120e5e4c89a9f8ac3
                                                • Opcode Fuzzy Hash: 15cb23ffcbb80e5706e5e9731ec0d74f01fc66616c4a896939862f8255ddb56e
                                                • Instruction Fuzzy Hash: BF41DD31F48A1E4FEBA5EB2880A56BD72E2FF8A302F440475E50DD7381DE3DA8409740
                                                Function 00007FFD34550B78 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 080a9d3442bfecabf3d35f96a6a0fc1e0f9ba18b9d9619a37d8452e2f0096078
                                                • Instruction ID: 38bcd0468da49dc4518e03f1ba7fdb9f156037a49dc82969e1e0762dcc430831
                                                • Opcode Fuzzy Hash: 080a9d3442bfecabf3d35f96a6a0fc1e0f9ba18b9d9619a37d8452e2f0096078
                                                • Instruction Fuzzy Hash: 2431D221F089494FEB96A76C94A86BD3BE1FF8A310F1900B6D64FC71D2DD2CE8419B41
                                                Function 00007FFD34547171 Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b04fa7b120605b7872440301e7016f8f5352451bf0b42262ae28451de9417ea
                                                • Instruction ID: 84cee041ef5fcd5cefa5acf44995fb22fbae276e787029454cf2d6a5a051f896
                                                • Opcode Fuzzy Hash: 4b04fa7b120605b7872440301e7016f8f5352451bf0b42262ae28451de9417ea
                                                • Instruction Fuzzy Hash: E3412841F5CA8B0BEAAA73B820761BE9DA65F83302BD14474E14DDF6CBDC2CAD019351
                                                Function 00007FFD3454F7ED Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1606e4ea43dc9ff10208ff5cfda8d99b3ef2ffd15641bb2db9a4f9f17927094b
                                                • Instruction ID: 8b9dff6e2ef2089bbc6c9ecfc9f7e2c9543a2771c4eccd51892232bb3e6aadcb
                                                • Opcode Fuzzy Hash: 1606e4ea43dc9ff10208ff5cfda8d99b3ef2ffd15641bb2db9a4f9f17927094b
                                                • Instruction Fuzzy Hash: 50318D32F0895D8FEB81EB6C84A56FCB7E1FF5A320F050176D10DDB292DA6C68819790
                                                Function 00007FFD3454E735 Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa4aa9f844a1f94afabfeba04b7999f406a5da48244b1cfc2bc1b5718dd065d2
                                                • Instruction ID: b16e4425b85e59d61dff58431dfd594683572e3ef8d165f8b313d3ef7aead9b6
                                                • Opcode Fuzzy Hash: fa4aa9f844a1f94afabfeba04b7999f406a5da48244b1cfc2bc1b5718dd065d2
                                                • Instruction Fuzzy Hash: 44319F22F4D99A1FFB96A72C84B91A867D1AF66221B0A04B6C54DCB3D3CD1C6C099341
                                                Function 00007FFD34550B80 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ce78f5dc1e9299d28d02af9cab0b6988fab1897a78600539f740d97714e0b1d
                                                • Instruction ID: 8b7bae8140063d2d88eba3b77ab972f41a813799cae924edfed760268d79cc4c
                                                • Opcode Fuzzy Hash: 6ce78f5dc1e9299d28d02af9cab0b6988fab1897a78600539f740d97714e0b1d
                                                • Instruction Fuzzy Hash: DE21D811F1D94A0BF7AB666864B56B81AC1EF87350F5940F6D64FC31C2EC4CEC825381
                                                Function 00007FFD345501EC Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c0fe3fa374af97ff1aa9016bd6ba49f73c623c85527937982ab5109f984dde5
                                                • Instruction ID: 12cd411dbe9e7738525acdcc9e0ea8c8478f36bac41753bc8e0eb7ab38b2b620
                                                • Opcode Fuzzy Hash: 8c0fe3fa374af97ff1aa9016bd6ba49f73c623c85527937982ab5109f984dde5
                                                • Instruction Fuzzy Hash: B821BE32E98A6D4FFB61BB68D4A15F973D1EF4A310F0404B5DA5ED7282CE2CEC409281
                                                Function 00007FFD3454E831 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f792db31f867eda4b1aa9cc16e7aaacfe686fee71d4e52289fa9db881d012a0
                                                • Instruction ID: e0ee0c80d693e0bb92fca611f60a33f6b7c288d2bf8b1d11d4baae54f075d190
                                                • Opcode Fuzzy Hash: 2f792db31f867eda4b1aa9cc16e7aaacfe686fee71d4e52289fa9db881d012a0
                                                • Instruction Fuzzy Hash: 18216331E4C54D8FEF5AAB6884A56F977A0EF4A310F44407AD64DC7281DD2CA844D781
                                                Function 00007FFD3454E8EF Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a08fbd4df0727a25e59098ae6890874ae461f83cfaaa69d6af71ba863b32f3d
                                                • Instruction ID: d02d42a434254572870b4c815171f72bb41db315688751dc7d12b4c116af6b64
                                                • Opcode Fuzzy Hash: 2a08fbd4df0727a25e59098ae6890874ae461f83cfaaa69d6af71ba863b32f3d
                                                • Instruction Fuzzy Hash: ECE02031D4E94C4BDF85AE689C512D57790FF4A308F00007AD24CC72C2D73D5A90C382
                                                Function 00007FFD34550A6F Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a33b65fd1ad1d64061b00931e7373e916c6f2ce3e8b9e9329d452c6f79295b67
                                                • Instruction ID: f3f70d55c3027470613cc3eaa4413f0c451d87a61fa3c650884574e756f5e110
                                                • Opcode Fuzzy Hash: a33b65fd1ad1d64061b00931e7373e916c6f2ce3e8b9e9329d452c6f79295b67
                                                • Instruction Fuzzy Hash: DFE0ED71E14A1D9F8B44DF58D8405DDB7F2FBD8320B10872A9419E3254DB3499458780
                                                Function 00007FFD34550AAA Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d55793e12bd422a15bafd1ffe14364a7306c69f503d8b23b4eff7f348e26dc7
                                                • Instruction ID: 7c17b4ede861e2737a6619fb864f1e869ad7a6c4144b676fa8f70a3514893bef
                                                • Opcode Fuzzy Hash: 2d55793e12bd422a15bafd1ffe14364a7306c69f503d8b23b4eff7f348e26dc7
                                                • Instruction Fuzzy Hash: 17D05E23B1C1180AFB0CA59CF8531FCB392EBC9634F00147AE24BE2182CC1A68220185
                                                Function 00007FFD34545D3A Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14a643d1233f42037fd0c4170801288022078ae1c9edd6bc984edebdbace240a
                                                • Instruction ID: 5ff9bb22ca5726c8f2013df33ec4af175b2b12c51506356a693d09a31c1203f2
                                                • Opcode Fuzzy Hash: 14a643d1233f42037fd0c4170801288022078ae1c9edd6bc984edebdbace240a
                                                • Instruction Fuzzy Hash: 05D0C931E1450E9BDB68EBA4E4611FDBBB5FF45300F8040B5E54DF7292DE386A558740
                                                Function 00007FFD34544DFB Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 239639f9a144c95401649e859a7c06d3adf7ca7a09bd96717128a5d679abcc98
                                                • Instruction ID: 9b5cf4d45a4447f1aee0f7d0e088d1061e2f4dbb7a2e9f60593a5398dc3a2fbc
                                                • Opcode Fuzzy Hash: 239639f9a144c95401649e859a7c06d3adf7ca7a09bd96717128a5d679abcc98
                                                • Instruction Fuzzy Hash:

                                                Non-executed Functions

                                                Function 00007FFD34545228 Relevance: .4, Instructions: 375COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a58e77a7e0a21e65a8f3a73dd75496d6ebd2a8a3768a398340999466c25e0db
                                                • Instruction ID: 3ff7507c5bcffbdc6f80e99e5bedc04e87d72be6dacdd874123e77ef36610692
                                                • Opcode Fuzzy Hash: 3a58e77a7e0a21e65a8f3a73dd75496d6ebd2a8a3768a398340999466c25e0db
                                                • Instruction Fuzzy Hash: 05911F07F1C47626EA2937FD78652FE5B48CFA13B6B488677D34CED1A34C08988642E5
                                                Function 00007FFD3454A4DD Relevance: .4, Instructions: 367COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7a5e84facffb2047eea40c48545836b387f5b3de592daf3289b7f8f937f87d0
                                                • Instruction ID: 801071ccc9987a076b21e74e8cbf78e62f59d79c51117a9d5c6e82b2ea346f1a
                                                • Opcode Fuzzy Hash: b7a5e84facffb2047eea40c48545836b387f5b3de592daf3289b7f8f937f87d0
                                                • Instruction Fuzzy Hash: E2C1C030A0CA4C8FDB69DB6898557E9BBB1FF56310F0442AED04DD7292CE74A945CB82
                                                Function 00007FFD3454AD04 Relevance: .3, Instructions: 299COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2270338683.00007FFD34540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34540000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffd34540000_DkvES47bkt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c704ad14d12726f7d04bf4cb44425ae48e37019f395ed5f0faf044188cdb4f1c
                                                • Instruction ID: 798de7922243121465c890f57ac3dc7b838287b1fcef53131069c8b7c7296212
                                                • Opcode Fuzzy Hash: c704ad14d12726f7d04bf4cb44425ae48e37019f395ed5f0faf044188cdb4f1c
                                                • Instruction Fuzzy Hash: 95910731E0CB4C4FDB59EBA898556EDBBF1EB96311F04826FD049D3292CE74A845CB81

                                                Executed Functions

                                                Function 00007FFD345682FB Relevance: 1.3, Instructions: 1325COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2af9b93dc83e0404186f5d0423a2e364e375183323a7034eadd5f27576724b67
                                                • Instruction ID: ed9ad39161954305c7586d31e4af0ec07ab54302bac125b370080e2a4e74cbe7
                                                • Opcode Fuzzy Hash: 2af9b93dc83e0404186f5d0423a2e364e375183323a7034eadd5f27576724b67
                                                • Instruction Fuzzy Hash: F6A2D920F1E6830FEB6BD63498B51797BA19F53321F4824BAC64DC71D3ED1C681A9392
                                                Function 00007FFD34568B56 Relevance: .5, Instructions: 549COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97eb21b01707f7c682c45318e63fcfe6d955fd16bd6ee4303a9c23f7da16fc03
                                                • Instruction ID: e5a488376bde2f70e92b4cd76262ee2964777eeb5eb29b67c00280242770f5f7
                                                • Opcode Fuzzy Hash: 97eb21b01707f7c682c45318e63fcfe6d955fd16bd6ee4303a9c23f7da16fc03
                                                • Instruction Fuzzy Hash: 7C12C760A4E3D20FE72746644C751A57FB19F53221F0A21FBC6C5CB0E3EA5C685AD3A2
                                                Function 00007FFD3456C7E6 Relevance: .5, Instructions: 472COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7c71abb9ffbb46e53b02315197522b9f63b4135ce6f14143d993a8970c8129a7
                                                • Instruction ID: dce928e64209c3a1684cabca5f7c51c782143b4a268441c6828ca0f483ac1754
                                                • Opcode Fuzzy Hash: 7c71abb9ffbb46e53b02315197522b9f63b4135ce6f14143d993a8970c8129a7
                                                • Instruction Fuzzy Hash: 7AF1A630A08A8D8FEBA9DF28C8557E977E1FF55310F04426EE84DC7291DF78A9458B81
                                                Function 00007FFD3456D592 Relevance: .5, Instructions: 458COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: adf4c2838a8c2567dfad81b63b2d56ee5e1efc12141431a00f9f8912952a5b84
                                                • Instruction ID: 6d6ba14eca39eb16c6ddaa8d179fd541a50dbc4f2c6247849ea2f993a4d1876e
                                                • Opcode Fuzzy Hash: adf4c2838a8c2567dfad81b63b2d56ee5e1efc12141431a00f9f8912952a5b84
                                                • Instruction Fuzzy Hash: EDE1C430A08A4D8FEBA9DF28C8657E977D1FF55310F14466AD84DC7291CF78A8458782
                                                Function 00007FFD34566CFA Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: `KE4$#CM_^
                                                • API String ID: 0-3045540529
                                                • Opcode ID: b9c318ac79667955421e40e6ea51848dc4693fda37fe5db9a90806528ce05a71
                                                • Instruction ID: 86ed8b290e4433b858c221f3f3e0aa0b480e92712e117f864a42e00741805ffa
                                                • Opcode Fuzzy Hash: b9c318ac79667955421e40e6ea51848dc4693fda37fe5db9a90806528ce05a71
                                                • Instruction Fuzzy Hash: 06C18021B189198BEB99FB6894B17B9B3D6FF9A320F500579E10DC32D2DE2CAC418741
                                                Function 00007FFD3456C2E9 Relevance: .4, Instructions: 410COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a1e83eef2ae989497cd1e952f83f69a809ed2f153efad88ec4894b9f9f22307
                                                • Instruction ID: b614646d978a4e905d12b9129bc4b8d55275c84348cbb3427d8c105c57d894bc
                                                • Opcode Fuzzy Hash: 6a1e83eef2ae989497cd1e952f83f69a809ed2f153efad88ec4894b9f9f22307
                                                • Instruction Fuzzy Hash: FDD19630A08A8D4FEB69DF28C8557F977D1FF59311F04426EE84DC7291CB78A9458B82
                                                Function 00007FFD3456E949 Relevance: .4, Instructions: 374COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfd5be4dd68af0f40effc2d5225fe89f45b1931d15ff7abcaf445cedd8b93cda
                                                • Instruction ID: f04fc205d42397ffab240799c971cc49b9af3944a85ef85a05a273eb84575d9f
                                                • Opcode Fuzzy Hash: dfd5be4dd68af0f40effc2d5225fe89f45b1931d15ff7abcaf445cedd8b93cda
                                                • Instruction Fuzzy Hash: 34B10530F599498FEB95EB6888A67F977E6EF9A320F04417AD00DC32D2DD2CAC418741
                                                Function 00007FFD3456D1A6 Relevance: .3, Instructions: 331COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 80986cfa1feeb2f7dc7fbf225556ebc461c51cec756784da8cbe71ef52660e0f
                                                • Instruction ID: 39ee54068ac8788279bce6ae7f0a38d978d9993dd23147e0f42f79b75e9d48ce
                                                • Opcode Fuzzy Hash: 80986cfa1feeb2f7dc7fbf225556ebc461c51cec756784da8cbe71ef52660e0f
                                                • Instruction Fuzzy Hash: 20B1B730A0CA4D4FDB69DF28C8557E97BD1FF59310F04426EE84DC7292CA78A945CB82
                                                Function 00007FFD3456F4BD Relevance: .3, Instructions: 295COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebf28c699512131b6f3771e2b0ca99f05997b555d3a534ad6dca6061d48b3255
                                                • Instruction ID: 8e3f08d9761ebbabffc4d5eafa601a92cc7c6d97b0d7361c76408d45e4b7b05a
                                                • Opcode Fuzzy Hash: ebf28c699512131b6f3771e2b0ca99f05997b555d3a534ad6dca6061d48b3255
                                                • Instruction Fuzzy Hash: 75916432FA890A4FF7E5E36C84A177962D2EB89321F5502B9D10DD73D2DD2DAC928341
                                                Function 00007FFD3456A0DC Relevance: .2, Instructions: 195COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 391fe2251193c55e31ca380aff818983406fae7ae63dcb748c5df7bed5141243
                                                • Instruction ID: 7167d5ac282ce8dd0e3c3aa0ad899ae077c84118e1e14fa681926fef5245f8ca
                                                • Opcode Fuzzy Hash: 391fe2251193c55e31ca380aff818983406fae7ae63dcb748c5df7bed5141243
                                                • Instruction Fuzzy Hash: 67518530E08A1C8FDB59DF58D855BE9B7F1FB59310F0082AAD04DE3252DE34A9858F81
                                                Function 00007FFD3456F28A Relevance: .2, Instructions: 183COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f65aa7cc3ac810df3ab66f12d16c31561d8eb9bbc23efecd2ba9f62cb0d4f5f
                                                • Instruction ID: 57e4691f9a00b7f5b8f1a916665ae3d45a3ec26f10c227f7ac1836626d7561e0
                                                • Opcode Fuzzy Hash: 3f65aa7cc3ac810df3ab66f12d16c31561d8eb9bbc23efecd2ba9f62cb0d4f5f
                                                • Instruction Fuzzy Hash: 5551D222F0DA8A4EE7A7A77884B52B93BD2EF5A320B4410BAD90DC7193DD1C5C459342
                                                Function 00007FFD3456E0F2 Relevance: .2, Instructions: 182COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92410f04efd6284dec15e3c9884092fd911c251758a84c5dd855caf96ddd05df
                                                • Instruction ID: 90846a0475f280f4871a0d32e16728fd4303ab1cd5f98d3d12a10356edeec73e
                                                • Opcode Fuzzy Hash: 92410f04efd6284dec15e3c9884092fd911c251758a84c5dd855caf96ddd05df
                                                • Instruction Fuzzy Hash: E751DF31F19A194FEBA9EB6C94A92B873D2EF5A321F44107AE50DD32D2DD3DAC018740
                                                Function 00007FFD34565200 Relevance: .2, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79012b87aedcfd1054415ba2ec89328f9e9e38be7d15bcd1724b0b772abc450e
                                                • Instruction ID: 81caf4ecfde5c2918fa79fc3c8ae8f2c1e67183ae2440adc4595b219c48b145c
                                                • Opcode Fuzzy Hash: 79012b87aedcfd1054415ba2ec89328f9e9e38be7d15bcd1724b0b772abc450e
                                                • Instruction Fuzzy Hash: 8741DF31F289194FEBA8EB6C94A52B973D2EF59321F441079E50EE32D2DD3DAC418640
                                                Function 00007FFD34565208 Relevance: .2, Instructions: 165COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51c8a310daea005a26ff1ae075bf2af666ecbb80bad6d68286ddc8fc4ea571f0
                                                • Instruction ID: 4d92fae44eb433bd940bd254ccaa0f553e7250934ef9efe8b155eafcdecd6da1
                                                • Opcode Fuzzy Hash: 51c8a310daea005a26ff1ae075bf2af666ecbb80bad6d68286ddc8fc4ea571f0
                                                • Instruction Fuzzy Hash: 3041CF31F299194FEBA9EB6C94A52B873D2EF59321F441079E50ED32D2DD3DAC418740
                                                Function 00007FFD3456F04C Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 447f30256d88eb7aa5bc2b3e0812333fe70116ce36ae2e3197c15d2fe8534164
                                                • Instruction ID: 43397243c46013da98b3f37be3f597a7246122245c2bda10664a5db50ff9bc17
                                                • Opcode Fuzzy Hash: 447f30256d88eb7aa5bc2b3e0812333fe70116ce36ae2e3197c15d2fe8534164
                                                • Instruction Fuzzy Hash: DE515D31F188198FEB95EB68D4A56BC73E2EF59361F401179D50ED32D2DE2C6C419740
                                                Function 00007FFD3456F09F Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 488682f1d77d233ce1289bb222f5163fa21cd2424d22e7389b01eed61676c372
                                                • Instruction ID: fa43d41e1ff0dd1b74432c3f7f849f655c7b4abcf949882447a278a420078a4d
                                                • Opcode Fuzzy Hash: 488682f1d77d233ce1289bb222f5163fa21cd2424d22e7389b01eed61676c372
                                                • Instruction Fuzzy Hash: 57416C32F189198FEB95EB68D8A56BCB3E2EF59321F401179D50ED3292DE3C6C418B40
                                                Function 00007FFD3456DFA8 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 782d27d07b350106e952b61addd3267e05f3feb562e7e015ec248fff1c7eda9e
                                                • Instruction ID: 2ad095635c6821d2d2ae44e03f3f5d336fa8e4db7bf02ad74b111b7d9f292348
                                                • Opcode Fuzzy Hash: 782d27d07b350106e952b61addd3267e05f3feb562e7e015ec248fff1c7eda9e
                                                • Instruction Fuzzy Hash: B041CC31F5990A4FEBA5EB6884A56BC73E2EF8A321F440475D10ED32D1DE2CA8419340
                                                Function 00007FFD34567171 Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a0302525298d420579ae679d8a727f02433476c1e82e15fcde72f8cd41f1646
                                                • Instruction ID: fe4b368987ce65c984b413e47bb167095d54020434201a380cb7cf6eda7c506c
                                                • Opcode Fuzzy Hash: 9a0302525298d420579ae679d8a727f02433476c1e82e15fcde72f8cd41f1646
                                                • Instruction Fuzzy Hash: 7E416D01F1E58B0BE76AB7B811760BEAC965F83312BD45474E10EDB6CBEC2CAD018312
                                                Function 00007FFD3456E706 Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 514668f6f7a7105c3120e37fbe335654d8021315910e16de5758fb60777b53aa
                                                • Instruction ID: bcc8c04aca858df11241a5140bc89dcdca693ada2903cfa2eacea31cc485053b
                                                • Opcode Fuzzy Hash: 514668f6f7a7105c3120e37fbe335654d8021315910e16de5758fb60777b53aa
                                                • Instruction Fuzzy Hash: 6A31D412F4FAD60FFBA2A62C44F91B86BD1AF66220B0914BAD58DC71D3CC0CAC059341
                                                Function 00007FFD3456F7ED Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ff1eb7039a40ce8e0b47beaa09ecd233f8da268b29002b16a22595f21bb7c8e
                                                • Instruction ID: fcd3d379b7572484d8a385707223a2466a9530c977e54127e58bd8a75eff5b29
                                                • Opcode Fuzzy Hash: 5ff1eb7039a40ce8e0b47beaa09ecd233f8da268b29002b16a22595f21bb7c8e
                                                • Instruction Fuzzy Hash: B3318C72F0895D8FEB81EB6884A56EC7BE1FF5A320F4510B6D10DD3291DA6C68819780
                                                Function 00007FFD3456E831 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64135cc357989fff897def76737b3c814273f16a0b91ae27373acc72fb96f168
                                                • Instruction ID: ba7a6b18715bed775ce7217f512979b445f8bbd08be66247283fe576dea2c3a7
                                                • Opcode Fuzzy Hash: 64135cc357989fff897def76737b3c814273f16a0b91ae27373acc72fb96f168
                                                • Instruction Fuzzy Hash: 17219030E4E94D8FEB56EB6494A56FD77A0EF56320F50507AE64DC2181DE2CA880D781
                                                Function 00007FFD3456E8EF Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e315745b53cffb48e738b2a0deca8ec36a6c24be494185f201c32218882a0650
                                                • Instruction ID: 647b0399fb2f0999ce24dd6518dde6d23360ae5b64c8d13674d327333be04c0e
                                                • Opcode Fuzzy Hash: e315745b53cffb48e738b2a0deca8ec36a6c24be494185f201c32218882a0650
                                                • Instruction Fuzzy Hash: 4BE0D831D4E94D4BCB85AE685C512D53790FF4A30CF00006AD24CC3182D72D5A90C382
                                                Function 00007FFD34565D3A Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd222988c1e6d2e4718d159500a81f030fa3255059d71b4ddaa2a15932821138
                                                • Instruction ID: 6ad5002b80fdc92ad01048a19fe41ab88657efda6cb505369f72ff6a95beaa3f
                                                • Opcode Fuzzy Hash: dd222988c1e6d2e4718d159500a81f030fa3255059d71b4ddaa2a15932821138
                                                • Instruction Fuzzy Hash: 97D05231E0440E9BEB68EF94E4611ECBBA0EF45300F8000B1E40DE6282DE386A848700
                                                Function 00007FFD34564DFB Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.2354545186.00007FFD34560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34560000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_7ffd34560000_Defender.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4453a8f59b5258ccd0891336ac1d1826ff498a6420a6a8a754ea8f498348e89b
                                                • Instruction ID: 2c0ae7f557b3dbf5b37df9c07deb5544d597b974630f9b245cf879e8f7ac4350
                                                • Opcode Fuzzy Hash: 4453a8f59b5258ccd0891336ac1d1826ff498a6420a6a8a754ea8f498348e89b
                                                • Instruction Fuzzy Hash:

                                                Execution Graph

                                                Execution Coverage:20.6%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:100%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 6563 7ffd345717cd 6564 7ffd345717df NtProtectVirtualMemory 6563->6564 6566 7ffd345718b5 6564->6566

                                                Executed Functions

                                                Function 00007FFD345717CD Relevance: 2.1, APIs: 1, Instructions: 559nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 7ffd345717cd-7ffd345718b3 NtProtectVirtualMemory 5 7ffd345718bb-7ffd345718dd 0->5 6 7ffd345718b5 0->6 8 7ffd345718de-7ffd345718f5 5->8 6->5 9 7ffd34571900-7ffd34571918 8->9 10 7ffd345718f7-7ffd345718ff 8->10 9->8 12 7ffd3457191a 9->12 10->9 13 7ffd34571994 12->13 14 7ffd3457191c-7ffd34571925 12->14 17 7ffd345719be-7ffd34571a82 call 7ffd34570eb8 13->17 18 7ffd34571996 13->18 15 7ffd34571937 14->15 16 7ffd34571927-7ffd3457192c 14->16 20 7ffd3457196f-7ffd34571971 15->20 21 7ffd34571939 15->21 16->20 52 7ffd34571a87-7ffd34571a8d 17->52 22 7ffd345719bc 18->22 23 7ffd34571998-7ffd3457199f 18->23 25 7ffd34571973-7ffd34571978 20->25 26 7ffd345719a1-7ffd345719b5 20->26 21->20 27 7ffd3457193b-7ffd3457195f call 7ffd34568e40 * 2 21->27 22->17 29 7ffd3457197a 25->29 30 7ffd34571985-7ffd34571987 25->30 32 7ffd345719b7-7ffd345719ba 26->32 43 7ffd34571960-7ffd34571968 call 7ffd34570950 27->43 29->30 34 7ffd3457197c-7ffd3457197e 29->34 30->32 35 7ffd34571989-7ffd3457198e 30->35 32->22 38 7ffd34571990 34->38 39 7ffd34571980 34->39 35->38 40 7ffd3457192e-7ffd34571930 35->40 38->40 44 7ffd34571992 38->44 39->30 42 7ffd34571932 40->42 40->43 42->15 43->29 51 7ffd3457196a 43->51 44->13 51->20 53 7ffd34571aa1-7ffd34571aa7 52->53 54 7ffd34571a8f-7ffd34571a9c call 7ffd34566950 52->54 56 7ffd34571ad2-7ffd34571ad8 53->56 57 7ffd34571aa9-7ffd34571acb call 7ffd34568e40 53->57 54->53 58 7ffd34571ada-7ffd34571b01 call 7ffd34570e40 56->58 59 7ffd34571b06-7ffd34571b0c 56->59 57->58 76 7ffd34571acd 57->76 58->59 64 7ffd34571b0e-7ffd34571b13 call 7ffd345651f8 59->64 65 7ffd34571b18-7ffd34571b1e 59->65 64->65 66 7ffd34571b20-7ffd34571b34 65->66 67 7ffd34571b3b-7ffd34571b41 65->67 66->58 80 7ffd34571b36 66->80 71 7ffd34571b43-7ffd34571b52 call 7ffd34566940 67->71 72 7ffd34571b59-7ffd34571b5f 67->72 71->58 88 7ffd34571b54 71->88 78 7ffd34571b61-7ffd34571b75 72->78 79 7ffd34571b80-7ffd34571b86 72->79 76->56 78->57 94 7ffd34571b7b 78->94 83 7ffd34571b88-7ffd34571baa call 7ffd34568e40 79->83 84 7ffd34571bb5-7ffd34571bbb 79->84 80->67 105 7ffd34571bb0 83->105 106 7ffd34571c85-7ffd34571ca7 call 7ffd34568e40 83->106 86 7ffd34571bbd-7ffd34571bc2 call 7ffd345651f8 84->86 87 7ffd34571bc7-7ffd34571bcd 84->87 86->87 92 7ffd34571be1-7ffd34571be7 87->92 93 7ffd34571bcf-7ffd34571bdc call 7ffd34566950 87->93 88->72 97 7ffd34571be9-7ffd34571c02 call 7ffd34568e40 92->97 98 7ffd34571c07-7ffd34571c0d 92->98 93->92 94->79 97->98 100 7ffd34571c0f-7ffd34571c31 call 7ffd34568e40 98->100 101 7ffd34571c38-7ffd34571c3e 98->101 100->106 122 7ffd34571c33 100->122 108 7ffd34571c40-7ffd34571c4f call 7ffd34566940 101->108 109 7ffd34571c5a-7ffd34571c60 101->109 105->84 125 7ffd34571ca9-7ffd34571cc0 call 7ffd34570e40 106->125 126 7ffd34571cc7-7ffd34571ce1 call 7ffd34570e40 106->126 108->57 120 7ffd34571c55 108->120 110 7ffd34571c62 109->110 111 7ffd34571c67-7ffd34571c6d 109->111 110->111 111->52 115 7ffd34571c73-7ffd34571c80 call 7ffd345651f8 111->115 120->109 122->101 125->126 134 7ffd34571cc2 call 7ffd34566918 125->134 135 7ffd34571ce3 call 7ffd34566918 126->135 136 7ffd34571ce8-7ffd34571cf3 126->136 134->126 135->136 139 7ffd34571d3b-7ffd34571d59 136->139 140 7ffd34571cf5-7ffd34571d12 136->140 149 7ffd34571d60-7ffd34571d68 139->149 143 7ffd34571d14-7ffd34571d39 140->143 144 7ffd34571d69-7ffd34571d94 140->144 143->139
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.2761528592.00007FFD34565000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34565000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_7ffd34565000_Defender.jbxd
                                                Similarity
                                                • API ID: MemoryProtectVirtual
                                                • String ID:
                                                • API String ID: 2706961497-0
                                                • Opcode ID: 7f1f27efcd1943baa10d58c819488b57d0f2194798521a7d737c4f8fcb881412
                                                • Instruction ID: 9a70cb9f9bf67d2511c30444b8ed1c63d524d85b8f4d3d0590bc95cfef1504fb
                                                • Opcode Fuzzy Hash: 7f1f27efcd1943baa10d58c819488b57d0f2194798521a7d737c4f8fcb881412
                                                • Instruction Fuzzy Hash: 0802C671F0C6890FEB66A76898A12B97FE1EF96310F0541BAD54CC72D3DD2CA8069781

                                                Execution Graph

                                                Execution Coverage:18.5%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 8212 7ffd345717cd 8213 7ffd345717df NtProtectVirtualMemory 8212->8213 8215 7ffd345718b5 8213->8215

                                                Executed Functions

                                                Function 00007FFD345717CD Relevance: 2.1, APIs: 1, Instructions: 560nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 7ffd345717cd-7ffd345718b3 NtProtectVirtualMemory 5 7ffd345718bb-7ffd345718dd 0->5 6 7ffd345718b5 0->6 8 7ffd345718de-7ffd345718f5 5->8 6->5 9 7ffd34571900-7ffd34571918 8->9 10 7ffd345718f7-7ffd345718ff 8->10 9->8 12 7ffd3457191a 9->12 10->9 13 7ffd34571994 12->13 14 7ffd3457191c-7ffd34571925 12->14 17 7ffd345719be-7ffd34571a82 call 7ffd34570eb8 13->17 18 7ffd34571996 13->18 15 7ffd34571937 14->15 16 7ffd34571927-7ffd3457192c 14->16 20 7ffd3457196f-7ffd34571971 15->20 21 7ffd34571939 15->21 16->20 52 7ffd34571a87-7ffd34571a8d 17->52 22 7ffd345719bc 18->22 23 7ffd34571998-7ffd3457199f 18->23 25 7ffd34571973-7ffd34571978 20->25 26 7ffd345719a1-7ffd345719b5 20->26 21->20 27 7ffd3457193b-7ffd3457195f call 7ffd34568e40 * 2 21->27 22->17 29 7ffd3457197a 25->29 30 7ffd34571985-7ffd34571987 25->30 32 7ffd345719b7-7ffd345719ba 26->32 43 7ffd34571960-7ffd34571968 call 7ffd34570950 27->43 29->30 34 7ffd3457197c-7ffd3457197e 29->34 30->32 35 7ffd34571989-7ffd3457198e 30->35 32->22 38 7ffd34571990 34->38 39 7ffd34571980 34->39 35->38 40 7ffd3457192e-7ffd34571930 35->40 38->40 44 7ffd34571992 38->44 39->30 42 7ffd34571932 40->42 40->43 42->15 43->29 50 7ffd3457196a 43->50 44->13 50->20 53 7ffd34571aa1-7ffd34571aa7 52->53 54 7ffd34571a8f-7ffd34571a9c call 7ffd34566950 52->54 55 7ffd34571ad2-7ffd34571ad8 53->55 56 7ffd34571aa9-7ffd34571acb call 7ffd34568e40 53->56 54->53 59 7ffd34571ada-7ffd34571b01 call 7ffd34570e40 55->59 60 7ffd34571b06-7ffd34571b0c 55->60 56->59 76 7ffd34571acd 56->76 59->60 64 7ffd34571b0e-7ffd34571b13 call 7ffd345651f8 60->64 65 7ffd34571b18-7ffd34571b1e 60->65 64->65 66 7ffd34571b20-7ffd34571b34 65->66 67 7ffd34571b3b-7ffd34571b41 65->67 66->59 82 7ffd34571b36 66->82 72 7ffd34571b43-7ffd34571b52 call 7ffd34566940 67->72 73 7ffd34571b59-7ffd34571b5f 67->73 72->59 88 7ffd34571b54 72->88 78 7ffd34571b61-7ffd34571b75 73->78 79 7ffd34571b80-7ffd34571b86 73->79 76->55 78->56 94 7ffd34571b7b 78->94 80 7ffd34571b88-7ffd34571baa call 7ffd34568e40 79->80 81 7ffd34571bb5-7ffd34571bbb 79->81 105 7ffd34571bb0 80->105 106 7ffd34571c85-7ffd34571ca7 call 7ffd34568e40 80->106 86 7ffd34571bbd-7ffd34571bc2 call 7ffd345651f8 81->86 87 7ffd34571bc7-7ffd34571bcd 81->87 82->67 86->87 92 7ffd34571be1-7ffd34571be7 87->92 93 7ffd34571bcf-7ffd34571bdc call 7ffd34566950 87->93 88->73 95 7ffd34571be9-7ffd34571c02 call 7ffd34568e40 92->95 96 7ffd34571c07-7ffd34571c0d 92->96 93->92 94->79 95->96 101 7ffd34571c0f-7ffd34571c31 call 7ffd34568e40 96->101 102 7ffd34571c38-7ffd34571c3e 96->102 101->106 122 7ffd34571c33 101->122 108 7ffd34571c40-7ffd34571c4f call 7ffd34566940 102->108 109 7ffd34571c5a-7ffd34571c60 102->109 105->81 125 7ffd34571ca9-7ffd34571cc0 call 7ffd34570e40 106->125 126 7ffd34571cc7-7ffd34571ce1 call 7ffd34570e40 106->126 108->56 119 7ffd34571c55 108->119 110 7ffd34571c62 109->110 111 7ffd34571c67-7ffd34571c6d 109->111 110->111 111->52 115 7ffd34571c73-7ffd34571c80 call 7ffd345651f8 111->115 119->109 122->102 125->126 134 7ffd34571cc2 call 7ffd34566918 125->134 135 7ffd34571ce3 call 7ffd34566918 126->135 136 7ffd34571ce8-7ffd34571cf3 126->136 134->126 135->136 139 7ffd34571d3b-7ffd34571d59 136->139 140 7ffd34571cf5-7ffd34571d12 136->140 149 7ffd34571d60-7ffd34571d68 139->149 143 7ffd34571d14-7ffd34571d39 140->143 144 7ffd34571d69-7ffd34571d94 140->144 143->139
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.3344837592.00007FFD34565000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34565000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ffd34565000_Defender.jbxd
                                                Similarity
                                                • API ID: MemoryProtectVirtual
                                                • String ID:
                                                • API String ID: 2706961497-0
                                                • Opcode ID: 08d7b3cf72b97c96186ca7b5d26b10bee571ed39b0ea18e12b2dd26621649a30
                                                • Instruction ID: ce6ef70967fae1c1213bfdd08c9580d9e651c5474f5b1a300b75d4767e2f31ae
                                                • Opcode Fuzzy Hash: 08d7b3cf72b97c96186ca7b5d26b10bee571ed39b0ea18e12b2dd26621649a30
                                                • Instruction Fuzzy Hash: 3B02C731F0C6890FEB66976898B12B97FA1EF96310F0941BBD54DC72D3DD2CA8469381