Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO1234.001.exe

Overview

General Information

Sample name:PO1234.001.exe
Analysis ID:1596508
MD5:435e17a63de9770c43659f6a6120ef5e
SHA1:1bdce2820788f662108d4b6a2555f6dceb715a3d
SHA256:36c4b76918ad0cc2990097d29fe693eb3333709e20b33b97ab12d6ccbaf3e4bc
Tags:001exeMassLoggerQuotationuser-cocaman
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO1234.001.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\PO1234.001.exe" MD5: 435E17A63DE9770C43659F6A6120EF5E)
    • RegAsm.exe (PID: 796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "carlos@instalacionestasende.com", "Password": "VzX79@6v", "Server": "webmail.instalacionestasende.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xffa5:$a1: get_encryptedPassword
        • 0x102e1:$a2: get_encryptedUsername
        • 0xfd32:$a3: get_timePasswordChanged
        • 0xfe53:$a4: get_passwordField
        • 0xffbb:$a5: set_encryptedPassword
        • 0x1198b:$a7: get_logins
        • 0x1163c:$a8: GetOutlookPasswords
        • 0x1141a:$a9: StartKeylogger
        • 0x118db:$a10: KeyLoggerEventArgs
        • 0x11477:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PO1234.001.exe.43eaa40.2.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.PO1234.001.exe.43eaa40.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.PO1234.001.exe.43eaa40.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.PO1234.001.exe.43eaa40.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xe3a5:$a1: get_encryptedPassword
                • 0xe6e1:$a2: get_encryptedUsername
                • 0xe132:$a3: get_timePasswordChanged
                • 0xe253:$a4: get_passwordField
                • 0xe3bb:$a5: set_encryptedPassword
                • 0xfd8b:$a7: get_logins
                • 0xfa3c:$a8: GetOutlookPasswords
                • 0xf81a:$a9: StartKeylogger
                • 0xfcdb:$a10: KeyLoggerEventArgs
                • 0xf877:$a11: KeyLoggerEventArgsEventHandler
                0.2.PO1234.001.exe.43eaa40.2.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1361d:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x12b1b:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x12e29:$a4: \Orbitum\User Data\Default\Login Data
                • 0x13c21:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 25 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.176.9.81, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 796, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-22T03:14:01.309114+010028032742Potentially Bad Traffic192.168.2.449731158.101.44.24280TCP
                2025-01-22T03:14:07.731089+010028032742Potentially Bad Traffic192.168.2.449731158.101.44.24280TCP
                2025-01-22T03:14:30.090620+010028032742Potentially Bad Traffic192.168.2.449745158.101.44.24280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: PO1234.001.exeAvira: detected
                Found malware configuration
                Source: 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "carlos@instalacionestasende.com", "Password": "VzX79@6v", "Server": "webmail.instalacionestasende.com"}
                Multi AV Scanner detection for submitted file
                Source: PO1234.001.exeVirustotal: Detection: 55%Perma Link
                Source: PO1234.001.exeReversingLabs: Detection: 43%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: PO1234.001.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: PO1234.001.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.0
                Source: PO1234.001.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: PO1234.001.exe, 00000000.00000002.1702325853.0000000005890000.00000004.08000000.00040000.00000000.sdmp, PO1234.001.exe, 00000000.00000002.1700826021.0000000003321000.00000004.00000800.00020000.00000000.sdmp, PO1234.001.exe, 00000000.00000002.1700826021.000000000338B000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 01975782h1_2_01975358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 019751B9h1_2_01974F08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 01975782h1_2_01975366
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 01975782h1_2_019756AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 072FA176h1_2_072F9FC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 072FA176h1_2_072FA0C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_072F9F07
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]1_2_072F9EC9
                Source: global trafficTCP traffic: 192.168.2.4:62834 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                Source: Joe Sandbox ViewASN Name: INFORTELECOM-ASES INFORTELECOM-ASES
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49745 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 158.101.44.242:80
                Source: global trafficTCP traffic: 192.168.2.4:49738 -> 185.176.9.81:25
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: webmail.instalacionestasende.com
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegAsm.exe, 00000001.00000002.4144742712.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4149906136.0000000006770000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: PO1234.001.exe, 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegAsm.exe, 00000001.00000002.4151860074.0000000008F30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                Source: RegAsm.exe, 00000001.00000002.4144742712.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: PO1234.001.exe, 00000000.00000002.1710564529.0000000007712000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: PO1234.001.exe, 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: PO1234.001.exe, 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to capture screen (.Net source)
                Source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                Source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.PO1234.001.exe.43eaa40.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.PO1234.001.exe.43eaa40.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.PO1234.001.exe.43d2810.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.PO1234.001.exe.43d2810.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: PO1234.001.exe PID: 6636, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegAsm.exe PID: 796, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 77540000 page read and writeJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeCode function: 0_2_0181CE7C0_2_0181CE7C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0197C1681_2_0197C168
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0197CA581_2_0197CA58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01972DD11_2_01972DD1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01974F081_2_01974F08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01977E681_2_01977E68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0197C3861_2_0197C386
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0197B9E01_2_0197B9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01974EF81_2_01974EF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01977E631_2_01977E63
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_072F97001_2_072F9700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_072F66081_2_072F6608
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_072F66181_2_072F6618
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_072F96F11_2_072F96F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_072F4B341_2_072F4B34
                Source: PO1234.001.exe, 00000000.00000000.1686163719.0000000000F92000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNothing.exe0 vs PO1234.001.exe
                Source: PO1234.001.exe, 00000000.00000002.1700050878.00000000015DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO1234.001.exe
                Source: PO1234.001.exe, 00000000.00000002.1700826021.000000000338B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs PO1234.001.exe
                Source: PO1234.001.exe, 00000000.00000002.1700826021.000000000338B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs PO1234.001.exe
                Source: PO1234.001.exe, 00000000.00000002.1702325853.000000000589C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs PO1234.001.exe
                Source: PO1234.001.exe, 00000000.00000002.1703047246.0000000005D30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAntiBossing.dll8 vs PO1234.001.exe
                Source: PO1234.001.exe, 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAntiBossing.dll8 vs PO1234.001.exe
                Source: PO1234.001.exe, 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs PO1234.001.exe
                Source: PO1234.001.exeBinary or memory string: OriginalFilenameNothing.exe0 vs PO1234.001.exe
                Source: PO1234.001.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.PO1234.001.exe.43eaa40.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.PO1234.001.exe.43eaa40.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.PO1234.001.exe.43d2810.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.PO1234.001.exe.43d2810.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: PO1234.001.exe PID: 6636, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegAsm.exe PID: 796, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: PO1234.001.exe, ExcavationTask.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, FuelfordChassis.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.PO1234.001.exe.5d30000.6.raw.unpack, FuelfordChassis.csCryptographic APIs: 'TransformFinalBlock'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@4/4
                Source: C:\Users\user\Desktop\PO1234.001.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO1234.001.exe.logJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                Source: PO1234.001.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO1234.001.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\PO1234.001.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PO1234.001.exeVirustotal: Detection: 55%
                Source: PO1234.001.exeReversingLabs: Detection: 43%
                Source: unknownProcess created: C:\Users\user\Desktop\PO1234.001.exe "C:\Users\user\Desktop\PO1234.001.exe"
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PO1234.001.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: PO1234.001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PO1234.001.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: PO1234.001.exe, 00000000.00000002.1702325853.0000000005890000.00000004.08000000.00040000.00000000.sdmp, PO1234.001.exe, 00000000.00000002.1700826021.0000000003321000.00000004.00000800.00020000.00000000.sdmp, PO1234.001.exe, 00000000.00000002.1700826021.000000000338B000.00000004.00000800.00020000.00000000.sdmp
                Source: PO1234.001.exeStatic PE information: 0xFEBA3976 [Fri Jun 5 03:54:30 2105 UTC]
                Source: C:\Users\user\Desktop\PO1234.001.exeCode function: 0_2_0181E6E0 push esp; retf 0_2_0181E6E1
                Source: PO1234.001.exeStatic PE information: section name: .text entropy: 7.78734160032619
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PO1234.001.exe PID: 6636, type: MEMORYSTR
                Source: C:\Users\user\Desktop\PO1234.001.exeMemory allocated: 1810000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeMemory allocated: 3320000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeMemory allocated: 3140000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1970000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 52E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1036Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 8804Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1775Jump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exe TID: 3300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -99875s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -99763s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -99656s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -99547s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -99437s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -99328s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -99219s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -99110s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -98999s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -98891s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -98766s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -98641s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -98531s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -98419s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -98312s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -98203s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -98094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -97984s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -97875s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -97766s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -97641s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -97516s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -97406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -97297s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -97188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -97063s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -96938s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -96828s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -96719s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -96594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -96485s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -96360s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -96235s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -96110s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -95985s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -95860s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -95735s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -95610s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -95485s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -95360s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -95235s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -95110s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -94985s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -94860s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -94735s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -94610s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -94485s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -94360s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6640Thread sleep time: -94235s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99763Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 99110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98999Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98419Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 98094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 97063Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96938Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96485Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96360Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96235Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 96110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95735Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95485Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95360Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95235Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 95110Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94735Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94485Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94360Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 94235Jump to behavior
                Source: RegAsm.exe, 00000001.00000002.4143867436.0000000001701000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0197C168 LdrInitializeThunk,LdrInitializeThunk,1_2_0197C168
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.PO1234.001.exe.337f2e8.0.raw.unpack, EngineAlgorithm.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                Source: 0.2.PO1234.001.exe.337f2e8.0.raw.unpack, EngineAlgorithm.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                Source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: C:\Users\user\Desktop\PO1234.001.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD:n
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,,8
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qd{s
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qHe4
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt[D
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<Kb
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4~<
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh z
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql@
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPRq
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,+L
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT\4
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8!t
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<*X
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qHce
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qprl
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qWR
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPuJ
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh h
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`2B
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX.
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<n4
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8"k
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(es
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q wM
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX`
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT}]
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0vY
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD]G
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|I|
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\+>
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLnF
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8=
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|lC
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$]x
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8:
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qp2W
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q87
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qlh|
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|#
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(Ak
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8l
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|/
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8i
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`QW
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,*C
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdzD
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qp
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|H;
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qo
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<jm
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDzu
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\(@
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4|G
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q tO
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH!Q
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL4
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\)I
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhbV
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX ]
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|jN
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qd|9
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qlI_
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q9l
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT9T
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\JS
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\,
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\*5
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtYO
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|8
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD{~
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qd8`
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<N
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qXAg
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qty{
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4:c
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxab
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$A6
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$aT
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt\
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4``
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qE
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4(
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qd=~
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$@J
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0yW
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4$
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`X?
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPy4
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx&6
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@xc
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh%e
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtP
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(ig
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,qj
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\OF
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(H]
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT3
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q]
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH(9
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8Hh
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0ZB
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q zq
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhi>
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qu^
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4<
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\.t
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qd
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT@<
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<rE
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt_q
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|oy
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qlqK
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q40
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qP
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql.Q
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qlNr
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt^z
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qN
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD`}
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qTY
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qSv
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qU4
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`6o
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhFw
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx%
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qXDe
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPw?
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|mL
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT\~
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx"
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q5?
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q Vi
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\mr
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt;i
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX#[
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|n8
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(gh
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxCV
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$?A
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh"g
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt]9
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|*_
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL,b
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD_<
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<,m
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,-y
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLp;
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX"
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`vv
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q6H
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPUo
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qXew
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q 7^
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH&D
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8Fs
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0XM
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPxH
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx$A
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx9
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT>G
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,P@
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(gz
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX;;
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx|@
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL"L
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qd1n
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@l^
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0LH
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(=>
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qP,
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh8}
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qpI
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|AS
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8}h
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|!5
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qpU
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL#8
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4UA
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\!X
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qpR
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qp)P
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPU
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qTu<
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtt]
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`*j
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q43q
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<Cy
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx}I
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH~C
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX]N
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDTx
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<Dp
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4VJ
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxZp
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0)
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`L:
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0&
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q05
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPl{
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qps
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0N=
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPR
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qlBm
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtRu
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdTG
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0+v
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qP|
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0[
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhyp
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qlA4
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qTPn
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<B8
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$tA
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT0M
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(:@
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@(U
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\am
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdqu
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qr`
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qP'a
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx6h
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDS4
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qphf
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q/f
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\`v
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx84
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPk:
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdPc
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH8k
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q )d
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerH
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`JE
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0)o
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4tV
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPIj
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q m=
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT'
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$2]
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL!C
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q| I
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<Ar
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q Jv
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx8g
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<dK
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH|N
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL%p
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qT5x
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qlW
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|FF
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD7J
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh_X
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX=s
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@/=
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8@Q
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$7{
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH?]
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$8Y
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX`L
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qlB
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD86
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`pB
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDXT
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qTW`
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qlK
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtw[
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLI5
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLW
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLiS
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,(N
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qMB
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH`g
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$Yc
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLHI
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qP.i
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4Yn
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLH
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX?h
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q00a
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@qq
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(c;
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\h_
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q 0l
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(@t
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPP\
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,+
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLK
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,IX
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt7<
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8^]
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtS~
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,T
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q+r
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4W6
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$Ve
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8<u
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4wT
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx;e
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q n~
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,`
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$5[
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qTvk
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<h5
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qp+E
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,gd
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qleF
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx~5
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX~X
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,FZ
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX}z
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<gI
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@Mi
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(_Q
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qp-:
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qO7
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH^h
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qoU
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q Oa
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0pP
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD6A
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt5G
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@o\
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdV<
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qNK
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql#b
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qLG@
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL$y
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qnl
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$xn
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`c^
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL[f
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(Tb
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPCH
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8uQ
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx2;
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdlJ
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(2z
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q "r
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(3X
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4mD
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhD
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdIq
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\[K
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDLO
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q EK
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhA
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<}d
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql{a
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\|U
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<\Z
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$M^
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4nM
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH4>
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q F7
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@$4
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDmY
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0ea
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qpc{
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhv
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPE=
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@el
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8wF
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdm6
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qHA
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qP"v
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qHM
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4o9
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhuC
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4-4
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,<j
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q'E
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt'M
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\98
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4kO
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH1@
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDj[
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|z=
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q cW
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtHW
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh/k
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,z|
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDJ4
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q):
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qpb:
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(V
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx/`
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|6d
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8S>
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhQ;
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(J
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@d=
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@Av
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxrZ
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhsN
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql?
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(w
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qh0T
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qXR_
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|Xm
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$li
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qP o
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX0w
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qH2I
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q DB
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\8r
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qHXF
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qt,x
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtO?
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q8Wk
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPF~
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q Ho
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(Xw
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q z
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<@C
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q,`r
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qx4s
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`&=
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdo
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|__
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql`S
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql@5
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qX7Q
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q\?d
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD.{
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qpG\
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(z_
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPiE
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`HP
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qHZ;
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qD>
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxWL
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qC\
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qXW}
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDF
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdf
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|=w
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q kH
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql?I
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q419
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhWg
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q@e~
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxuX
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$O
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxtz
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhvL
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|\a
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qDx
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q`$H
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^ql]U
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0%B
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhw8
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL=Z
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q(6V
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q85b
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qd{
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qHVQ
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdKx
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q4M{
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxTN
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$G
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qdn?
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$C
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qPgP
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qtnT
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qhUh
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q%P
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qpg4
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q0&K
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qL^d
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qHv}
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^qxVC
                Source: RegAsm.exe, 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q<>N
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q|~j
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerDk
                Source: RegAsm.exe, 00000001.00000002.4144742712.000000000367F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q$Os
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Users\user\Desktop\PO1234.001.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO1234.001.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO1234.001.exe PID: 6636, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 796, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO1234.001.exe PID: 6636, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 796, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO1234.001.exe PID: 6636, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 796, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO1234.001.exe PID: 6636, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 796, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43d2810.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.43eaa40.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO1234.001.exe.438a1c0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.4142068190.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1700949684.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.4144742712.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO1234.001.exe PID: 6636, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 796, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		13
                System Information Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts12
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		1
                Input Capture                		1
                Security Software Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                Obfuscated Files or Information                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Software Packing                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object Model1
                Email Collection                		23
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets1
                Application Window Discovery                		SSH1
                Input Capture                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                System Network Configuration Discovery                		VNC1
                Clipboard Data                		Multiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                Virtualization/Sandbox Evasion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                Process Injection                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.