Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report UNMNPURyLk.exe

Overview

General Information

Sample Name:UNMNPURyLk.exe
Analysis ID:487736
MD5:8df6d5b6ce4864ae629684b7566ebaa7
SHA1:47a9b67b6b71f6b55858fafc2c5afc59f0900c63
SHA256:d83d1ebc7cffb2050517fe68343b2a4cb4e7ed7f45aa2c14a2dff25a8eeb9c8b
Infos:

Most interesting Screenshot:

Detection

Phantom Miner
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Phantom Miner
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Script Execution From Temp Folder
Found strings related to Crypto-Mining
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • UNMNPURyLk.exe (PID: 4784 cmdline: 'C:\Users\user\Desktop\UNMNPURyLk.exe' MD5: 8DF6D5B6CE4864AE629684B7566EBAA7)
    • powershell.exe (PID: 4952 cmdline: 'powershell.exe' Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate' -Value ''C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe'' -PropertyType 'String' MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Win32Update.exe (PID: 4936 cmdline: 'C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe' MD5: 8DF6D5B6CE4864AE629684B7566EBAA7)
  • Win32Update.exe (PID: 6716 cmdline: 'C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe' MD5: 8DF6D5B6CE4864AE629684B7566EBAA7)
  • cleanup

Malware Configuration

Threatname: PhantomMiner

{"Version": "v2.0", "MinerMarker": "FAGPSIVY6PE991JD", "ForceUAC": "true", "Hosts": ["localhost", "185.215.113.62"], "Ports": ["6606", "8808", "30881"], "Mutex": "PhantomMutex-Z3LKHP4A", "Critical": "true", "Anti VM": "true", "Anti Sandbox": "true", "Anti Emulation": "true", "Enable Grabber": "true", "Grab MXR": "49y9zNEnMmjgjMcbJCpSF3A317tnmHUx49QtkAawZJPXj6k6FUSEdSPNcP49Kxi2hHTo25XyzTj7VUKuq7R7NBjn5G6P92U", "Grab BTC": "1P9ztqcYG2Csq9Z4a1juDEntusbE3ZqdiM", "Grab ETH": "0xbabCAD94d0a9709E459600ea967E528643f885cD", "Grab LTC": "LfLGvHh5rHpJaQ6W6vFieGrR5yokdoHnYi", "Install": "true", "Registry": "WindowsUpdate", "File Name": "Win32Update.exe", "Folder Name": "Folder Name", "Drop Location": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\", "Certificate": "MIIE4DCCAsigAwIBAgIQAMEERr8Hh6aTSMO4CnYpWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZHb0dhbWUwIBcNMjEwOTEyMTQyMzU0WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBkdvR2FtZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKh1yyqY4Ui2qO0iRzjRexqjm1YNq+pgEtL6b2YbjZ0SYfSkf7CN/29xflc7tqIwKb4Opcd7SwWtLNh0AX5aVlaIDDL0mRsQ8GS8nt9mw2ui7n8gJx65/s43rYoenkJlCRa7/LS1ReSh4ZH/83AYE3pF+2qWFW/2c+Kjf+CEE6HRGTrG3D7FGcUj+9AcGevrupTptHErJQ5nNVbTScdaxtbn2gdgxegfmdVOaEojhmqZPmHKI2BCUyqE5mINJX8Uz0ft1jJRlh944hpT3Psubp/Q5Bq1+lAykJ892PHznBJ9Xr2iWNVbUze1hYiSVd61tb8XthQ28XHkCDrGOTGaYdUQ8iwpyRhhfbeyXhQQrAKUq1T9H29Rf8hcwpOHbs3nFfWC8SoL4FhYHn1Mc3UkHLm2ltNbyoAMK98Csx1Ytsu1WCS5fbMVMwoHKGlv7Z2T1aCF42LFKRhM7H6Oi9P0XC6YNauC7BsSfClyNAILBOmp2SZoWxGfulN+nxSogQuiTA0V1f4R0gheGEwD53NJMPB/fc6I8ONAzXp73Mz0Qz+bzC3jnHKgpLTlmI4Kgvpu3b+2qCTKMXks8CGhfldB3YISnzo1T0HLaaBZGDHpUFUhCkB+i2LUUhxxBatUjOimSlgbbou3gAYgnTk2eaE946kdfLRqRLrakOIR940vcXHTAgMBAAGjMjAwMB0GA1UdDgQWBBTqPjwiE/cuyOMLA9r8ZTtbNtnp1DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAGI+K7LoGW3yVjtGuJmQHJ+un2Sak8GbxaRJjhNOgULi4qKlVPSG8CwzKMdg6SSjg1D5J12cPDo7kG60pdYD2+LIFyNF2A/7Ld/LRT1t6Av2/EZ7YCXymA6MruLxXA/P9KtrCF1H20EGjYlHswm0qbK53RLUI6Lx3t4GfjksY6p2bIXtoWvXwqWzE8OPPBlrC1F0VPbmbJVYnHUfFoRzhKa8q3qA86/FEKkIs7e1gVU/cpgrq8pQT2d+gMJWaTQDCH6IHlbbl0+xqY7UHaXvkRmNV4CAPKofHienUpURhdrau7n0fCjW4VhOeIsZ65ZHT7/afNksrvbNpaxNenbhT6TKCjAroDqc0Rs+yIKl+PgpYsRRHWwVK2eDN39JkX/H5WHja/RRwrh8VY6MEYttwUfBBSAtO48B3DBEE9lspdc9+g7/8XxVKUjTh72sh1D9werw7Ze4AyBV9a+OCf1R28zFbej0YiFR+u1CSbSqNDajF2OKjbAvQZZwE4xocZX1qsVePq4mPGry0qlDLDSYg4vLz02qZX21rfpU3WDwtvLS61KLPT5RV7Cr1zEUhGa0FR0O+MlajlmHQJy1sIIU2upu3eMjQZeIblmjuisbIylwb8h79itR2sxXwCd0AriGkbYPAJ8HVGq/Fv+5b0VmYKHXlC7JBWdyjYm1QEF7QuOw==", "Server Signature": "R1Nj/NJp/zAkpRcfFsv3vl1GvSlvvNNNc1HQ+CF+Aecb7W+p39BRe3obni3sqlb6XlSJjjD/SCKipwtX4SrpH4Hfr6+78/X1HwEhmxXBEnBoHKKrKOlpPG3aQEjjPW0FMziFT+x2xU0Y+g3597rDz3a7PJVJLOPxJ9Qv7Sm9skPirWkFcQOB5gGXlOY9xggooPPKEzecxiGKeQiev22KWnw3MWxVTdI7/oddde5XjkFRb4UEcoaNO7bUo8RbhkbQrFxx+XK3ey94koDwdYeGFtCrcfqOFKbTTnPOyRw315Q4JSUYQ+Ji53r4eqjSJUvPR+N1ZxlySnZCXeZ/9B1sAVTRPrOE+W04fOOZuMAia3CnBsCbn2Jk3pJEOFn1nk9HL6cnu1DxTSCETujmsn/lql5gwXUrqshYkY1AgONuDKtD80QiJuzbC9RACwVeqHhCX9yqLorp1JLeuJyl/e/+jHkG/hiDjJ5AziJDLq+6jDezx0aSr4cn7kJHjudNTisa3nhKECuhJ1eeIln0OXGz93n+J+qOgyBMfZSh1NZAXHWJiSHBmQFLM35dtg6Apfh74ho93IGIcWyOEJrvkgUsrZvxacNgaghJU9qiFYeqB5m+WvnB6z/wvobTyRQ+8QK60+zbjk9AbJpFr+7g5m4gIH/sbEbdfypihN/TMrK6Bcc="}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
UNMNPURyLk.exeJoeSecurity_PhantomMinerYara detected Phantom MinerJoe Security
    UNMNPURyLk.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exeJoeSecurity_PhantomMinerYara detected Phantom MinerJoe Security
        C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000007.00000000.272045733.000002A5EE072000.00000002.00020000.sdmpJoeSecurity_PhantomMinerYara detected Phantom MinerJoe Security
            00000007.00000000.272045733.000002A5EE072000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              00000007.00000002.277706791.000002A5EE072000.00000002.00020000.sdmpJoeSecurity_PhantomMinerYara detected Phantom MinerJoe Security
                00000007.00000002.277706791.000002A5EE072000.00000002.00020000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  00000000.00000000.214690048.00000217C6732000.00000002.00020000.sdmpJoeSecurity_PhantomMinerYara detected Phantom MinerJoe Security
                    Click to see the 21 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    7.0.Win32Update.exe.2a5ee070000.0.unpackJoeSecurity_PhantomMinerYara detected Phantom MinerJoe Security
                      7.0.Win32Update.exe.2a5ee070000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                        0.2.UNMNPURyLk.exe.217d85919f0.2.unpackJoeSecurity_PhantomMinerYara detected Phantom MinerJoe Security
                          0.2.UNMNPURyLk.exe.217d85919f0.2.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                            0.0.UNMNPURyLk.exe.217c6730000.0.unpackJoeSecurity_PhantomMinerYara detected Phantom MinerJoe Security
                              Click to see the 11 entries

                              Sigma Overview

                              System Summary:

                              barindex
                              Sigma detected: Suspicious Script Execution From Temp FolderShow sources
                              Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'powershell.exe' Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate' -Value ''C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe'' -PropertyType 'String', CommandLine: 'powershell.exe' Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate' -Value ''C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe'' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\UNMNPURyLk.exe' , ParentImage: C:\Users\user\Desktop\UNMNPURyLk.exe, ParentProcessId: 4784, ProcessCommandLine: 'powershell.exe' Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate' -Value ''C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe'' -PropertyType 'String', ProcessId: 4952
                              Sigma detected: Non Interactive PowerShellShow sources
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'powershell.exe' Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate' -Value ''C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe'' -PropertyType 'String', CommandLine: 'powershell.exe' Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate' -Value ''C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe'' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\UNMNPURyLk.exe' , ParentImage: C:\Users\user\Desktop\UNMNPURyLk.exe, ParentProcessId: 4784, ProcessCommandLine: 'powershell.exe' Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsUpdate' -Value ''C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe'' -PropertyType 'String', ProcessId: 4952
                              Sigma detected: T1086 PowerShell ExecutionShow sources
                              Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132767876097867162.4952.DefaultAppDomain.powershell

                              Jbx Signature Overview

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection:

                              barindex
                              Found malware configurationShow sources
                              Source: 0.0.UNMNPURyLk.exe.217c6730000.0.unpackMalware Configuration Extractor: PhantomMiner {"Version": "v2.0", "MinerMarker": "FAGPSIVY6PE991JD", "ForceUAC": "true", "Hosts": ["localhost", "185.215.113.62"], "Ports": ["6606", "8808", "30881"], "Mutex": "PhantomMutex-Z3LKHP4A", "Critical": "true", "Anti VM": "true", "Anti Sandbox": "true", "Anti Emulation": "true", "Enable Grabber": "true", "Grab MXR": "49y9zNEnMmjgjMcbJCpSF3A317tnmHUx49QtkAawZJPXj6k6FUSEdSPNcP49Kxi2hHTo25XyzTj7VUKuq7R7NBjn5G6P92U", "Grab BTC": "1P9ztqcYG2Csq9Z4a1juDEntusbE3ZqdiM", "Grab ETH": "0xbabCAD94d0a9709E459600ea967E528643f885cD", "Grab LTC": "LfLGvHh5rHpJaQ6W6vFieGrR5yokdoHnYi", "Install": "true", "Registry": "WindowsUpdate", "File Name": "Win32Update.exe", "Folder Name": "Folder Name", "Drop Location": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\", "Certificate": "MIIE4DCCAsigAwIBAgIQAMEERr8Hh6aTSMO4CnYpWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZHb0dhbWUwIBcNMjEwOTEyMTQyMzU0WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBkdvR2FtZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKh1yyqY4Ui2qO0iRzjRexqjm1YNq+pgEtL6b2YbjZ0SYfSkf7CN/29xflc7tqIwKb4Opcd7SwWtLNh0AX5aVlaIDDL0mRsQ8GS8nt9mw2ui7n8gJx65/s43rYoenkJlCRa7/LS1ReSh4ZH/83AYE3pF+2qWFW/2c+Kjf+CEE6HRGTrG3D7FGcUj+9AcGevrupTptHErJQ5nNVbTScdaxtbn2gdgxegfmdVOaEojhmqZPmHKI2BCUyqE5mINJX8Uz0ft1jJRlh944hpT3Psubp/Q5Bq1+lAykJ892PHznBJ9Xr2iWNVbUze1hYiSVd61tb8XthQ28XHkCDrGOTGaYdUQ8iwpyRhhfbeyXhQQrAKUq1T9H29Rf8hcwpOHbs3nFfWC8SoL4FhYHn1Mc3UkHLm2ltNbyoAMK98Csx1Ytsu1WCS5fbMVMwoHKGlv7Z2T1aCF42LFKRhM7H6Oi9P0XC6YNauC7BsSfClyNAILBOmp2SZoWxGfulN+nxSogQuiTA0V1f4R0gheGEwD53NJMPB/fc6I8ONAzXp73Mz0Qz+bzC3jnHKgpLTlmI4Kgvpu3b+2qCTKMXks8CGhfldB3YISnzo1T0HLaaBZGDHpUFUhCkB+i2LUUhxxBatUjOimSlgbbou3gAYgnTk2eaE946kdfLRqRLrakOIR940vcXHTAgMBAAGjMjAwMB0GA1UdDgQWBBTqPjwiE/cuyOMLA9r8ZTtbNtnp1DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAGI+K7LoGW3yVjtGuJmQHJ+un2Sak8GbxaRJjhNOgULi4qKlVPSG8CwzKMdg6SSjg1D5J12cPDo7kG60pdYD2+LIFyNF2A/7Ld/LRT1t6Av2/EZ7YCXymA6MruLxXA/P9KtrCF1H20EGjYlHswm0qbK53RLUI6Lx3t4GfjksY6p2bIXtoWvXwqWzE8OPPBlrC1F0VPbmbJVYnHUfFoRzhKa8q3qA86/FEKkIs7e1gVU/cpgrq8pQT2d+gMJWaTQDCH6IHlbbl0+xqY7UHaXvkRmNV4CAPKofHienUpURhdrau7n0fCjW4VhOeIsZ65ZHT7/afNksrvbNpaxNenbhT6TKCjAroDqc0Rs+yIKl+PgpYsRRHWwVK2eDN39JkX/H5WHja/RRwrh8VY6MEYttwUfBBSAtO48B3DBEE9lspdc9+g7/8XxVKUjTh72sh1D9werw7Ze4AyBV9a+OCf1R28zFbej0YiFR+u1CSbSqNDajF2OKjbAvQZZwE4xocZX1qsVePq4mPGry0qlDLDSYg4vLz02qZX21rfpU3WDwtvLS61KLPT5RV7Cr1zEUhGa0FR0O+MlajlmHQJy1sIIU2upu3eMjQZeIblmjuisbIylwb8h79itR2sxXwCd0AriGkbYPAJ8HVGq/Fv+5b0VmYKHXlC7JBWdyjYm1QEF7QuOw==", "Server Signature": "R1Nj/NJp/zAkpRcfFsv3vl1GvSlvvNNNc1HQ+CF+Aecb7W+p39BRe3obni3sqlb6XlSJjjD/SCKipwtX4SrpH4Hfr6+78/X1HwEhmxXBEnBoHKKrKOlpPG3aQEjjPW0FMziFT+x2xU0Y+g3597rDz3a7PJVJLOPxJ9Qv7Sm9skPirWkFcQOB5gGXlOY9xggooPPKEzecxiGKeQiev22KWnw3MWxVTdI7/oddde5XjkFRb4UEcoaNO7bUo8RbhkbQrFxx+XK3ey94koDwdYeGFtCrcfqOFKbTTnPOyRw315Q4JSUYQ+Ji53r4eqjSJUvPR+N1ZxlySnZCXeZ/9B1sAVTRPrOE+W04fOOZuMAia3CnBsCbn2Jk3pJEOFn1nk9HL6cnu1DxTSCETujmsn/lql5gwXUrqshYkY1AgONuDKtD80QiJuzbC9RACwVeqHhCX9yqLorp1JLeuJyl/e/+jHkG/hiDjJ5AziJDLq+6jDezx0aSr4cn7kJHjudNTisa3nhKECuhJ1
                              Multi AV Scanner detection for submitted fileShow sources
                              Source: UNMNPURyLk.exeVirustotal: Detection: 68%Perma Link
                              Source: UNMNPURyLk.exeMetadefender: Detection: 37%Perma Link
                              Source: UNMNPURyLk.exeReversingLabs: Detection: 64%
                              Antivirus / Scanner detection for submitted sampleShow sources
                              Source: UNMNPURyLk.exeAvira: detected
                              Antivirus detection for dropped fileShow sources
                              Source: C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exeAvira: detection malicious, Label: HEUR/AGEN.1112890
                              Multi AV Scanner detection for dropped fileShow sources
                              Source: C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exeVirustotal: Detection: 68%Perma Link
                              Source: C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exeMetadefender: Detection: 37%Perma Link
                              Source: C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exeReversingLabs: Detection: 64%
                              Machine Learning detection for sampleShow sources
                              Source: UNMNPURyLk.exeJoe Sandbox ML: detected
                              Machine Learning detection for dropped fileShow sources
                              Source: C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exeJoe Sandbox ML: detected

                              Bitcoin Miner:

                              barindex
                              Yara detected Phantom MinerShow sources
                              Source: Yara matchFile source: UNMNPURyLk.exe, type: SAMPLE
                              Source: Yara matchFile source: 7.0.Win32Update.exe.2a5ee070000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.UNMNPURyLk.exe.217d85919f0.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.UNMNPURyLk.exe.217c6730000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.UNMNPURyLk.exe.217d85919f0.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.2.Win32Update.exe.1c0b9e50000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 7.2.Win32Update.exe.2a5ee070000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.Win32Update.exe.1c0b9e50000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.UNMNPURyLk.exe.217c6730000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000007.00000000.272045733.000002A5EE072000.00000002.00020000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000007.00000002.277706791.000002A5EE072000.00000002.00020000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.214690048.00000217C6732000.00000002.00020000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.489659994.00000217D8591000.00000004.00000001.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.482157096.00000217C6732000.00000002.00020000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000000.254879947.000001C0B9E52000.00000002.00020000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.260105956.000001C0B9E52000.00000002.00020000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: UNMNPURyLk.exe PID: 4784, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: Win32Update.exe PID: 4936, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: Win32Update.exe PID: 6716, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Folder Name\Win32Update.exe, type: DROPPED
                              Found strings related to Crypto-MiningShow sources
                              Source: UNMNPURyLk.exeString found in binary or memory: --print-full --algo kawpow --url stratum+tcp://
                              Source: UNMNPURyLk.exeString found in binary or memory: --print-full --algo kawpow --url stratum+tcp://
                              Source: UNMNPURyLk.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                              Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: UNMNPURyLk.exe
                              Source: Binary string: costura.costura.dll.compressed|5.5.0.0|Costura, Version=5.5.0.0, Culture=neutral, PublicKeyToken=null|Costura.dll|529B022AC6C547B75D6CCC42F9597557301FFE15|4608 costura.costura.pdb.compressed|||Costura.pdb|B79D0E21DC4E0BBE01B6306A4DA820B9856959D7|2608 costura source: Win32Update.exe
                              Source: Binary string: costura.costura.pdb.compressed source: Win32Update.exe, UNMNPURyLk.exe
                              Source: Binary string: 588896EE364281D343C5B55E1A0280EC8D4143B65E320013C7AABC4E227E53D0<>c__DisplayClass0_0<>9__1_0<Read>b__1_0<RandomString>b__1_0<>c__DisplayClass1_0<>c__DisplayClass2_0<>9__3_0<Main>b__3_0<ReadPacket>b__0<GetText>b__0<SetText>b__0<SendFileToMemoy>b__0<>9__3_1<Main>b__3_1<ReadPacket>b__1IEnumerable`1EqualityComparer`1List`1a1__StaticArrayInitTypeSize=32Microsoft.Win32ReadInt32WriteInt32ToInt32<ReadPacket>b__2<>f__AnonymousType0`2Func`2Dictionary`2a2X509Certificate2UInt64ReadInt64WriteInt64ToInt64ReadInt16HMACSHA256Sha256Aes256aes256get_UTF8<>9<Module><PrivateImplementationDetails>forceUACGCMapNameToOIDGetVRAMGetRAMantiVMSystem.IOStopXMRStartXMRGetOSGetGPUSGetAVget_IVset_IVGenerateIVCosturaReadServertDatacostura.metadatacbMessagePackLibmscorlibset_Verb<>cSystem.Collections.GenericMicrosoft.VisualBasicget_SendSyncgrabbtcgrabltcget_IdEndReadBeginReadResumeThreadhThreadLoadpayloadAddadd_SessionEndedSystemEvents_SessionEndedSHA256ManagedisAttachedInterlockedEnabledIsInstalledcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.messagepacklib.dll.compressedcostura.system.runtime.interopservices.runtimeinformation.dll.compressedget_Connectedget_IsConnectedset_IsConnectedSynchronized<cryptoType>i__Field<Regex>i__Field<SendSync>k__BackingField<IsConnected>k__BackingField<usage>k__BackingField<_V_name>k__BackingField<KeepAlive>k__BackingField<HeaderSize>k__BackingField<Ping>k__BackingField<stopMining>k__BackingField<ActivatePong>k__BackingField<Interval>k__BackingField<pool>k__BackingField<bin>k__BackingField<coin>k__BackingField<injection>k__BackingField<Buffer>k__BackingField<worker>k__BackingField<pass>k__BackingField<wallet>k__BackingField<Offset>k__BackingField<SslClient>k__BackingField<TcpClient>k__BackingField<_V_regex>k__BackingFieldhWndRandantiSandSendAppendRegistryValueKindset_IsBackgroundmethodClipboardReplacedefaultInstancesourceGetHashCodeset_ModeFileModePaddingModeEnterDebugModeCryptoStreamModeCompressionModeCipherModeSelectModeDeleteSubKeyTreeget_Messageget_usageset_usageExchangenullCacheDetectSandboxieInvokeEnumerableIDisposableIsWindowVisibleget_HandleRuntimeFieldHandleGetModuleHandleRuntimeTypeHandleCloseHandlelHandleGetTypeFromHandleProcessHandleWaitHandleget_MainWindowHandlehandleRemoveFileInstallFilefileIsInRoleWindowsBuiltInRoleget_MainModuleProcessModuleset_WindowStyleProcessWindowStyleget_Nameget_FileNameset_FileNameGetFileNamelpModuleNameget_FullNamefullNameIsValidDomainNamelpApplicationNameGetNameCheckHostNameGetProcessesByNamerequestedAssemblyNameDirectoryNameRegistryNameget__V_nameset__V_nameGetUsernamelpCommandLineGetCommandLineCombineLocalMachineDetectVirtualMachineUriHostNameTypeValueTypeProtocolTypeflAllocationType_V_CryptoTypeget_cryptoTypeSocketTypemalwareSystem.CoreServersignatureget_Cultureset_CultureresourceCulturecultureMethodBaseApplicationSettingsBaseCloseDisposeX509CertificateValidateServerCertificatecertificateAllocateUpdateCreateDebuggerBrowsableStateEditorBrowsableStateSetApartmentStateRegistryDeleteWri
                              Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|B79D0E21DC4E0BBE01B6306A4DA820B9856959D7|2608 source: UNMNPURyLk.exe
                              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                              Source: Joe Sandbox ViewIP Address: 185.215.113.62 185.215.113.62
                              Source: Joe Sandbox ViewIP Address: 185.215.113.62 185.215.113.62
                              Source: global trafficTCP traffic: 192.168.2.3:49710 -> 185.215.113.62:8808
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.62
                              Source: UNMNPURyLk.exe, 00000000.00000002.483622401.00000217C8581000.00000004.00000001.sdmp, Win32Update.exe, 00000003.00000002.260332616.000001C0BBB81000.00000004.00000001.sdmp, Win32Update.exe, 00000007.00000002.276831629.000002A580001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                              Source: C:\Users\user\Desktop\UNMNPURyLk.exeWindow created: window name: CLIPBRDWNDCLASS