Loading ...

Play interactive tourEdit tour

Analysis Report M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe

Overview

General Information

Sample Name:M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
MD5:929bb4bfd755dea991175e2383b4e26c
SHA1:3073e13b02046341a0648bde58f174624c80c930
SHA256:67a7404a31223af4f376b78228762c3de9b8f46226e61e939e24e0d6d16a67b4

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe (PID: 2968 cmdline: 'C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe' MD5: 929BB4BFD755DEA991175E2383B4E26C)
    • AppLaunch.exe (PID: 2328 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
      • netsh.exe (PID: 4740 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.668508767.00000000061F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000003.666435318.00000000061C3000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.670815228.0000000003170000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.672926053.00000000041C5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.2293246239.0000000006840000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.AppLaunch.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, ParentProcessId: 2328, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 4740

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeVirustotal: Detection: 30%Perma Link
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeReversingLabs: Detection: 18%
              Machine Learning detection for sampleShow sources
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeJoe Sandbox ML: detected
              Source: 2.2.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.7:49707 -> 162.221.185.10:21
              Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.7:49708 -> 162.221.185.10:45855
              Source: global trafficTCP traffic: 192.168.2.7:49708 -> 162.221.185.10:45855
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: unknownFTP traffic detected: 162.221.185.10:21 -> 192.168.2.7:49707 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 11:53. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 11:53. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 11:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 50 allowed.220-Local time is now 11:53. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: unknownDNS traffic detected: queries for: ftp.pan-door.gr
              Source: AppLaunch.exe, 00000002.00000002.2293585727.0000000006940000.00000004.00000001.sdmpString found in binary or memory: http://ftp.pan-door.gr
              Source: AppLaunch.exe, 00000002.00000002.2293585727.0000000006940000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AppLaunch.exe, 00000002.00000002.2293585727.0000000006940000.00000004.00000001.sdmpString found in binary or memory: https://DlqveAlrVND7ULI4HM.org

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, mEu0025.csLarge array initialization: Gm6: array initializer size 25500
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, u0033Tt.csLarge array initialization: J?c: array initializer size 19780
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, Wu0024a.csLarge array initialization: a%9: array initializer size 14112
              Source: 0.2.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.cb0000.0.unpack, mEu0025.csLarge array initialization: Gm6: array initializer size 25500
              Source: 0.2.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.cb0000.0.unpack, u0033Tt.csLarge array initialization: J?c: array initializer size 19780
              Source: 0.2.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.cb0000.0.unpack, Wu0024a.csLarge array initialization: a%9: array initializer size 14112
              Source: 0.0.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.cb0000.0.unpack, mEu0025.csLarge array initialization: Gm6: array initializer size 25500
              Source: 0.0.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.cb0000.0.unpack, u0033Tt.csLarge array initialization: J?c: array initializer size 19780
              Source: 0.0.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.cb0000.0.unpack, Wu0024a.csLarge array initialization: a%9: array initializer size 14112
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_017AB044 CreateProcessAsUserW,0_2_017AB044
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_00CB848B0_2_00CB848B
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_00CB2B100_2_00CB2B10
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_017A34700_2_017A3470
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_017A26730_2_017A2673
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_017AC6580_2_017AC658
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_017A83F80_2_017A83F8
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_017A84080_2_017A8408
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_017AC6490_2_017AC649
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD88F02_2_08FD88F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FDFCA02_2_08FDFCA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD11A82_2_08FD11A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD32BC2_2_08FD32BC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD44C02_2_08FD44C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD15782_2_08FD1578
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD97782_2_08FD9778
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD88E12_2_08FD88E1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD8CE42_2_08FD8CE4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD8D582_2_08FD8D58
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD90312_2_08FD9031
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD51B02_2_08FD51B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD11A72_2_08FD11A7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD43D22_2_08FD43D2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD15682_2_08FD1568
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FDD6702_2_08FDD670
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FD976B2_2_08FD976B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F24B002_2_09F24B00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F2EDA02_2_09F2EDA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F2AD202_2_09F2AD20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F26E002_2_09F26E00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F2E7202_2_09F2E720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F2A7102_2_09F2A710
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F279FF2_2_09F279FF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F27A002_2_09F27A00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F26DF02_2_09F26DF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F2ED972_2_09F2ED97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F29C802_2_09F29C80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F29C712_2_09F29C71
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F281522_2_09F28152
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F251282_2_09F25128
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F251182_2_09F25118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F200402_2_09F20040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F230402_2_09F23040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F2A3202_2_09F2A320
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F2A3112_2_09F2A311
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F257442_2_09F25744
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F2E71F2_2_09F2E71F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F2A7002_2_09F2A700
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F266C02_2_09F266C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F256B02_2_09F256B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F266B02_2_09F266B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F256A02_2_09F256A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A010EA82_2_0A010EA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A013FD82_2_0A013FD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A011FF02_2_0A011FF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A0132982_2_0A013298
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A0123602_2_0A012360
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A010E992_2_0A010E99
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A011FE12_2_0A011FE1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A0123552_2_0A012355
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A0100072_2_0A010007
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A0100402_2_0A010040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A01C6902_2_0A01C690
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A0126DB2_2_0A0126DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: String function: 09F21B68 appears 33 times
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeBinary or memory string: OriginalFilename vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.671267770.0000000003284000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary2.dll, vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.671267770.0000000003284000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameoWRSKhScdSrrqLJGxRQGU.exe4 vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.670705426.0000000003140000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.670632939.0000000003120000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametfghfdgtr.dllT vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.670815228.0000000003170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameoWRSKhScdSrrqLJGxRQLJGxRQGU.exe( vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.670815228.0000000003170000.00000004.00000001.sdmpBinary or memory string: lHOriginalFilenameoWRSKhScdSrrqLJGxRQ vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.670815228.0000000003170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.669041165.0000000000CB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemaincrypt_open.exeD vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeBinary or memory string: OriginalFilenameoWRSKhScdSrrqLJGxRQLJGxRQGU.exe( vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeBinary or memory string: OriginalFilenamemaincrypt_open.exeD vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@2/1
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_01
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeVirustotal: Detection: 30%
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeReversingLabs: Detection: 18%
              Source: unknownProcess created: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe 'C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.670705426.0000000003140000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.670705426.0000000003140000.00000004.00000001.sdmp

              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_00CB830D push es; ret 0_2_00CB848A
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_00CB2B10 push es; ret 0_2_00CB2F1A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FDC2F1 push es; ret 2_2_08FDC328
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_08FDC2D0 push es; ret 2_2_08FDC2E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09F28ABB pushad ; ret 2_2_09F28ABC

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeFile opened: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 2968Jump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe TID: 388Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe TID: 4972Thread sleep count: 154 > 30Jump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe TID: 4972Thread sleep count: 39 > 30Jump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe TID: 4068Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 4472Thread sleep count: 208 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 4472Thread sleep count: 2968 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -179436s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -59312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -235624s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -58624s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -58374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -116000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -57812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -115000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -57280s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -113812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -84936s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -56374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -112376s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -224000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -55718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -55280s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -110188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -82359s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -109188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -54406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -54188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -80859s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -80532s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -53530s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -79968s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -52780s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -78891s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -78609s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -78141s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -103812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -51718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -231750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -51280s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -127500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -101560s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -126485s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -100624s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -50094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -74109s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -49218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -97812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -97436s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -72750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -72327s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -47594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -47280s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -70641s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -46906s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -46688s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -69609s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -69327s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -46000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -68250s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -45280s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -112030s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -66891s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -44406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -44188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -88000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -108515s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -64782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -43000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -85436s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -63702s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -41312s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -41156s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -40874s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -81436s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -40374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -80188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -59718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -39374s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -58827s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -58311s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -58032s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -38406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -38124s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -37656s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -55782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -55407s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -55170s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -127750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -36218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -53250s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -51609s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -51282s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -49782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -32406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -32094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -31780s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -47343s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -31218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -62000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -43782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -43359s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -42609s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -70000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -40968s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -53436s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -39609s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -39327s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -38718s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -35532s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -34218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -45188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -44812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -32811s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -31218s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -57750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -31812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -58844s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -87984s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -57532s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -57344s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -56656s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -56220s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -55156s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -54814s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -54438s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -52470s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -51938s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -51250s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -51032s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -76221s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -50626s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -50438s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -50156s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -74580s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -49532s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -49314s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -73548s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -48844s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -72234s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -47938s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -94440s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -46814s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -69891s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -92628s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -69141s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -68109s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -67830s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -44532s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -66471s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -88188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -65439s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -43220s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -43032s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -64032s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -106250s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -63471s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -41814s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -62439s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -103515s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -61689s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -40938s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -61080s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -40532s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -118782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -78752s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -39220s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -38720s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -38314s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -38126s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -56721s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -75252s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -37438s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -129500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -73440s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -36532s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -54471s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -53721s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -35626s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -88515s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -87265s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -34720s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -103500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -51330s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -34032s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -67188s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -33314s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -33126s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -65812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -48939s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -32438s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -48330s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -32000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -31500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -46971s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -46221s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -45939s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -45609s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -60376s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -44859s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -59000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -43689s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -42330s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -41907s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -39891s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -62265s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -48440s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -35298s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -46628s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -34359s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -44376s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -32580s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -64500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -31971s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -31689s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -40812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -48750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -36812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -34064s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -33252s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -30812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -43500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -33515s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -43750s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -89721s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -178782s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -59314s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -57314s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -56594s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -112812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -83298s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -55314s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -82500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -54314s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -79500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -52626s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -52438s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -104440s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -104000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -129220s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -76971s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -126015s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -99812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -48814s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -72189s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -95812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -47626s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -47406s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -70407s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -69189s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -45814s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -45626s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -45126s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -44938s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -67032s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -89000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -107735s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -85812s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -84376s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -63000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5032Thread sleep time: -40438s >= -30000s