Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#98540-00.exe

Overview

General Information

Sample name:PO#98540-00.exe
Analysis ID:1595909
MD5:1f18bd29f6a4fb2f71e17aea72f0ee7b
SHA1:93eac0c896f16f36ac6e8da8724836782f6a2117
SHA256:7ea98bae6d7f0176c1ae6cecc9bfbc8611304fe007899d8d989425c7b13f3339
Tags:exeFormbookuser-cocaman
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • PO#98540-00.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\PO#98540-00.exe" MD5: 1F18BD29F6A4FB2F71E17AEA72F0EE7B)
    • powershell.exe (PID: 2956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7464 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 1628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2180 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7312 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • vuSbvvxE2e.exe (PID: 5692 cmdline: "C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\IYoOJZcKn.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • taskkill.exe (PID: 7904 cmdline: "C:\Windows\SysWOW64\taskkill.exe" MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
          • vuSbvvxE2e.exe (PID: 4088 cmdline: "C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\Wh6ADJ6drrBw3.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 8124 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • ZgSwAbBKbQrN.exe (PID: 7348 cmdline: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe MD5: 1F18BD29F6A4FB2F71E17AEA72F0EE7B)
    • schtasks.exe (PID: 7632 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmpA458.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7676 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2519092908.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000013.00000002.4529838278.0000000004A90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.2520025807.00000000011C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000011.00000002.4527638531.0000000002FF0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000011.00000002.4526508310.0000000002960000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              9.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#98540-00.exe", ParentImage: C:\Users\user\Desktop\PO#98540-00.exe, ParentProcessId: 7092, ParentProcessName: PO#98540-00.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe", ProcessId: 2956, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#98540-00.exe", ParentImage: C:\Users\user\Desktop\PO#98540-00.exe, ParentProcessId: 7092, ParentProcessName: PO#98540-00.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe", ProcessId: 2956, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmpA458.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmpA458.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe, ParentImage: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe, ParentProcessId: 7348, ParentProcessName: ZgSwAbBKbQrN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmpA458.tmp", ProcessId: 7632, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#98540-00.exe", ParentImage: C:\Users\user\Desktop\PO#98540-00.exe, ParentProcessId: 7092, ParentProcessName: PO#98540-00.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp", ProcessId: 2180, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#98540-00.exe", ParentImage: C:\Users\user\Desktop\PO#98540-00.exe, ParentProcessId: 7092, ParentProcessName: PO#98540-00.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe", ProcessId: 2956, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO#98540-00.exe", ParentImage: C:\Users\user\Desktop\PO#98540-00.exe, ParentProcessId: 7092, ParentProcessName: PO#98540-00.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp", ProcessId: 2180, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-21T13:33:30.482780+010028596221Exploit Kit Activity Detected104.21.48.180192.168.2.557819TCP
                2025-01-21T13:33:33.074896+010028596221Exploit Kit Activity Detected104.21.48.180192.168.2.557820TCP
                2025-01-21T13:33:35.584880+010028596221Exploit Kit Activity Detected104.21.48.180192.168.2.557821TCP
                2025-01-21T13:33:38.131340+010028596221Exploit Kit Activity Detected104.21.48.180192.168.2.557822TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-21T13:33:01.151738+010028554651A Network Trojan was detected192.168.2.557814104.21.44.13680TCP
                2025-01-21T13:33:24.832163+010028554651A Network Trojan was detected192.168.2.557818199.115.118.780TCP
                2025-01-21T13:33:38.130950+010028554651A Network Trojan was detected192.168.2.557822104.21.48.180TCP
                2025-01-21T13:33:51.502311+010028554651A Network Trojan was detected192.168.2.557826185.173.109.8380TCP
                2025-01-21T13:34:04.642761+010028554651A Network Trojan was detected192.168.2.55783013.248.169.4880TCP
                2025-01-21T13:34:18.692145+010028554651A Network Trojan was detected192.168.2.55783463.250.47.5780TCP
                2025-01-21T13:34:31.828072+010028554651A Network Trojan was detected192.168.2.55783813.248.169.4880TCP
                2025-01-21T13:34:47.978711+010028554651A Network Trojan was detected192.168.2.55784213.248.169.4880TCP
                2025-01-21T13:35:01.424670+010028554651A Network Trojan was detected192.168.2.55784685.159.66.9380TCP
                2025-01-21T13:35:17.585664+010028554651A Network Trojan was detected192.168.2.55785013.248.169.4880TCP
                2025-01-21T13:35:30.844887+010028554651A Network Trojan was detected192.168.2.55785484.32.84.3280TCP
                2025-01-21T13:35:44.416162+010028554651A Network Trojan was detected192.168.2.55785847.83.1.9080TCP
                2025-01-21T13:35:58.606751+010028554651A Network Trojan was detected192.168.2.55786213.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-21T13:33:16.861788+010028554641A Network Trojan was detected192.168.2.557815199.115.118.780TCP
                2025-01-21T13:33:19.414517+010028554641A Network Trojan was detected192.168.2.557816199.115.118.780TCP
                2025-01-21T13:33:22.151662+010028554641A Network Trojan was detected192.168.2.557817199.115.118.780TCP
                2025-01-21T13:33:30.482599+010028554641A Network Trojan was detected192.168.2.557819104.21.48.180TCP
                2025-01-21T13:33:33.074665+010028554641A Network Trojan was detected192.168.2.557820104.21.48.180TCP
                2025-01-21T13:33:35.584612+010028554641A Network Trojan was detected192.168.2.557821104.21.48.180TCP
                2025-01-21T13:33:43.851629+010028554641A Network Trojan was detected192.168.2.557823185.173.109.8380TCP
                2025-01-21T13:33:46.421228+010028554641A Network Trojan was detected192.168.2.557824185.173.109.8380TCP
                2025-01-21T13:33:48.994640+010028554641A Network Trojan was detected192.168.2.557825185.173.109.8380TCP
                2025-01-21T13:33:57.004601+010028554641A Network Trojan was detected192.168.2.55782713.248.169.4880TCP
                2025-01-21T13:33:59.548956+010028554641A Network Trojan was detected192.168.2.55782813.248.169.4880TCP
                2025-01-21T13:34:02.119833+010028554641A Network Trojan was detected192.168.2.55782913.248.169.4880TCP
                2025-01-21T13:34:11.033827+010028554641A Network Trojan was detected192.168.2.55783163.250.47.5780TCP
                2025-01-21T13:34:13.590486+010028554641A Network Trojan was detected192.168.2.55783263.250.47.5780TCP
                2025-01-21T13:34:16.163892+010028554641A Network Trojan was detected192.168.2.55783363.250.47.5780TCP
                2025-01-21T13:34:24.181183+010028554641A Network Trojan was detected192.168.2.55783513.248.169.4880TCP
                2025-01-21T13:34:26.819195+010028554641A Network Trojan was detected192.168.2.55783613.248.169.4880TCP
                2025-01-21T13:34:30.337063+010028554641A Network Trojan was detected192.168.2.55783713.248.169.4880TCP
                2025-01-21T13:34:38.386326+010028554641A Network Trojan was detected192.168.2.55783913.248.169.4880TCP
                2025-01-21T13:34:39.869187+010028554641A Network Trojan was detected192.168.2.55784013.248.169.4880TCP
                2025-01-21T13:34:42.422869+010028554641A Network Trojan was detected192.168.2.55784113.248.169.4880TCP
                2025-01-21T13:34:54.618082+010028554641A Network Trojan was detected192.168.2.55784385.159.66.9380TCP
                2025-01-21T13:34:57.165154+010028554641A Network Trojan was detected192.168.2.55784485.159.66.9380TCP
                2025-01-21T13:34:59.712285+010028554641A Network Trojan was detected192.168.2.55784585.159.66.9380TCP
                2025-01-21T13:35:07.977473+010028554641A Network Trojan was detected192.168.2.55784713.248.169.4880TCP
                2025-01-21T13:35:10.524297+010028554641A Network Trojan was detected192.168.2.55784813.248.169.4880TCP
                2025-01-21T13:35:13.073112+010028554641A Network Trojan was detected192.168.2.55784913.248.169.4880TCP
                2025-01-21T13:35:23.131547+010028554641A Network Trojan was detected192.168.2.55785184.32.84.3280TCP
                2025-01-21T13:35:25.707485+010028554641A Network Trojan was detected192.168.2.55785284.32.84.3280TCP
                2025-01-21T13:35:28.240649+010028554641A Network Trojan was detected192.168.2.55785384.32.84.3280TCP
                2025-01-21T13:35:36.718626+010028554641A Network Trojan was detected192.168.2.55785547.83.1.9080TCP
                2025-01-21T13:35:39.977548+010028554641A Network Trojan was detected192.168.2.55785647.83.1.9080TCP
                2025-01-21T13:35:42.539956+010028554641A Network Trojan was detected192.168.2.55785747.83.1.9080TCP
                2025-01-21T13:35:49.966109+010028554641A Network Trojan was detected192.168.2.55785913.248.169.4880TCP
                2025-01-21T13:35:53.557094+010028554641A Network Trojan was detected192.168.2.55786013.248.169.4880TCP
                2025-01-21T13:35:55.037191+010028554641A Network Trojan was detected192.168.2.55786113.248.169.4880TCP
                2025-01-21T13:36:05.273183+010028554641A Network Trojan was detected192.168.2.55786323.145.136.880TCP
                2025-01-21T13:36:07.800893+010028554641A Network Trojan was detected192.168.2.55786423.145.136.880TCP
                2025-01-21T13:36:10.756342+010028554641A Network Trojan was detected192.168.2.55786523.145.136.880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-21T13:34:57.165154+010028563181A Network Trojan was detected192.168.2.55784485.159.66.9380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeReversingLabs: Detection: 39%
                Multi AV Scanner detection for submitted file
                Source: PO#98540-00.exeVirustotal: Detection: 30%Perma Link
                Source: PO#98540-00.exeReversingLabs: Detection: 39%
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2519092908.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4529838278.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2520025807.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4527638531.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4526508310.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4527575007.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2525382668.0000000001FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4527705273.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: PO#98540-00.exeJoe Sandbox ML: detected
                Source: PO#98540-00.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PO#98540-00.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RegSvcs.pdb, source: taskkill.exe, 00000011.00000002.4528386273.00000000054FC000.00000004.10000000.00040000.00000000.sdmp, taskkill.exe, 00000011.00000002.4526680764.0000000002DFD000.00000004.00000020.00020000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4528020185.000000000265C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2805908228.000000003BB4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2520253209.0000000001290000.00000040.00001000.00020000.00000000.sdmp, taskkill.exe, 00000011.00000002.4527943489.0000000004ED0000.00000040.00001000.00020000.00000000.sdmp, taskkill.exe, 00000011.00000003.2519291534.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000011.00000003.2521690247.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000011.00000002.4527943489.000000000506E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2520253209.0000000001290000.00000040.00001000.00020000.00000000.sdmp, taskkill.exe, taskkill.exe, 00000011.00000002.4527943489.0000000004ED0000.00000040.00001000.00020000.00000000.sdmp, taskkill.exe, 00000011.00000003.2519291534.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000011.00000003.2521690247.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000011.00000002.4527943489.000000000506E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: taskkill.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2519503958.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, vuSbvvxE2e.exe, 00000010.00000002.4526791389.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: XQSj.pdbSHA256 source: PO#98540-00.exe, ZgSwAbBKbQrN.exe.0.dr
                Source: Binary string: RegSvcs.pdb source: taskkill.exe, 00000011.00000002.4528386273.00000000054FC000.00000004.10000000.00040000.00000000.sdmp, taskkill.exe, 00000011.00000002.4526680764.0000000002DFD000.00000004.00000020.00020000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4528020185.000000000265C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2805908228.000000003BB4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: taskkill.pdb source: RegSvcs.exe, 00000009.00000002.2519503958.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, vuSbvvxE2e.exe, 00000010.00000002.4526791389.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: XQSj.pdb source: PO#98540-00.exe, ZgSwAbBKbQrN.exe.0.dr
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vuSbvvxE2e.exe, 00000010.00000002.4527100571.0000000000F4F000.00000002.00000001.01000000.0000000D.sdmp, vuSbvvxE2e.exe, 00000013.00000000.2588781136.0000000000F4F000.00000002.00000001.01000000.0000000D.sdmp
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0297CB30 FindFirstFileW,FindNextFileW,FindClose,17_2_0297CB30
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 4x nop then jmp 0595AF15h10_2_0595AAA5
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 4x nop then xor eax, eax17_2_02969EC0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 4x nop then mov ebx, 00000004h17_2_04D104E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57826 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57814 -> 104.21.44.136:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57818 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57830 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57844 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.5:57844 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57816 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57832 -> 63.250.47.57:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57842 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57817 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57848 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57850 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57857 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57823 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57858 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57819 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57820 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57824 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57831 -> 63.250.47.57:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57859 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57815 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57822 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57837 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57843 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.48.1:80 -> 192.168.2.5:57822
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57845 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57847 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57835 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57833 -> 63.250.47.57:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57821 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57827 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57854 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57829 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57846 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57856 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57863 -> 23.145.136.8:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57840 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57862 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.48.1:80 -> 192.168.2.5:57819
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57852 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57839 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.48.1:80 -> 192.168.2.5:57821
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57838 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57841 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57864 -> 23.145.136.8:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57851 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:57834 -> 63.250.47.57:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57825 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57849 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57855 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.48.1:80 -> 192.168.2.5:57820
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57836 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57828 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57853 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57861 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57865 -> 23.145.136.8:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:57860 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.carfie.xyz
                Source: DNS query: www.hotethereum.xyz
                Source: DNS query: www.iquery.xyz
                Source: DNS query: www.arwintarim.xyz
                Source: DNS query: www.irlandesi.xyz
                Source: DNS query: www.exhelp.xyz
                Source: global trafficTCP traffic: 192.168.2.5:57719 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: VODANETInternationalIP-BackboneofVodafoneDE VODANETInternationalIP-BackboneofVodafoneDE
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /o73p/?EzVH=SVYnICRUjh1A1iu3+5LbxX0p4Ih5QEPkuRT+7rIONIanAZMdSu/+DIqyy+WsNc/fFvN+vpqBAM1DkCf2uoecSx2TSCBs/Nn8DKUVfO3j4KQzOhvSuPUqsKT0+VdbUrcoUw==&C6FT=2PjX HTTP/1.1Host: www.rtphajar4d.artAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /cmiu/?EzVH=eeISNG8xyGUKV4JIvPAz0kpNiezoaI5oHS7dzY4Hx43hbRIjun9+6qyxsPRg8oaaBeSOLz55XwJCX0oeo+EEic+4uKFBMdbgqdPdViGTTYU1hoTn0DC4d10N1rHKpK+EmA==&C6FT=2PjX HTTP/1.1Host: www.stellaritemvault.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /3gui/?EzVH=r/5LL9YRKcDHeTQjyj8r8adXQt9yH7IM69lVOm+44J5RWExCxIPmLU7s1uqNWdwfU0cSQkh0Z6cibj0RkYcZNOnfd8tA/YviVqIwb2MDVuaUNIrvLm5lAb8P5eEx5jtdew==&C6FT=2PjX HTTP/1.1Host: www.kdrqcyusevx.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /cqka/?EzVH=sUY4odNKm/pY5HNJJD8hbx9VnoELuU4uCsoZhGD6RJqKHWNnv+SOB7HgJqC2EWkazuwikacb8W7MQSuuhzuIpEZOx3XgQzZgJby1x7IZeaabDxy6HrnXWsmsS6okIqp39Q==&C6FT=2PjX HTTP/1.1Host: www.mercadoacheaqui.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /5ang/?C6FT=2PjX&EzVH=r45ng2cSJdPePjZASpfgfWghccdOl3o4d9xy556HpSM3jpfs/glRbDVMlq6lPd57l4hwUkVvFMurv3UwCbapcPvdz/pSG0hbrZmm6Ey/HPwsrqJu2iGvsVepeIOoMXxMDg== HTTP/1.1Host: www.carfie.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /3dde/?EzVH=sAcVLWEMfEVPeGlEFn/dfFnIWPCs7sGm4+S2c8WQctEFti7RpsQPTf/9OG+fKk0Dtz8X1iGRaibj32S2c8GnPHQgBMlyrvJLUAXKOU9DS26a3IJZhoe5/rqiC+ay3Fh/vw==&C6FT=2PjX HTTP/1.1Host: www.lifesentials.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /mu99/?C6FT=2PjX&EzVH=NZg/rVOUD+ECG4URLESiATrTPGvfple618skByNbxmgukOM6zau377BFmlimtTE3XetKT5KtEW1qAp49mawl1uZUSZfwjIOUIzddxxV6s/jsh7/9Tq4yAAjIVYasbHKUzg== HTTP/1.1Host: www.hotethereum.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qkgt/?EzVH=N60pxaB3a68poFuRmi0gRz00/k1bMI4xYjDZ2JSshnxTs4NZhvVYRDwfV6hrZxSFyfkMElHP/jPUSAS/pjMk8TrMyT5EfCmb8cOe1R+7IrgjVfybyvN2KE2s7fXWPHJ4yQ==&C6FT=2PjX HTTP/1.1Host: www.iquery.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /iyfp/?C6FT=2PjX&EzVH=j20pzah8eSfS+3KU3U5YO6BZMo53WMY8QB7sbavQvS9kcnmiKn+P2fpLCcvlJJDeBQJlXF62beeTMCi3wD40T74Cth6pV65MqeInyeyrr8o6GjgS68i3DcOxdfXczcdLhg== HTTP/1.1Host: www.arwintarim.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /8dcs/?EzVH=3fLpa+jfpPo0BwR5CpuVbAmP66+3tg3HJzNxq0ukW3BnSwt7EYiTIjVRGnlFKJ5vCmKIzZwfflyVXFEyi62xuqg6WJLKgdGGmHGrYa8jcPiyp6KN2K9DhPSxmtyqOWD4gQ==&C6FT=2PjX HTTP/1.1Host: www.irlandesi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /nojp/?EzVH=ysW+abDrVtt+NCDuGQMC3iHOJLMuqsQBW0ub1m7XPuZqt1xDwhM13QnFtK0l0JuAxYlvFdS6hynmQhyp/CmcXb4pUpEPygOkNNbd9KX/WmFTnUsfQuk29i7czr4RXI3M/w==&C6FT=2PjX HTTP/1.1Host: www.christmas-goods.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2pbk/?EzVH=PicIiKybCFTE87GjMbeHd57EOcaPdSiyjepsSi09oMSm1klP3bC5qstJQjkx9E21az604LJibP0eWCbLSfytPSqVDOys4oduohHtcdDLe17Zq4wKvYJtkwBFfEfoOWEfww==&C6FT=2PjX HTTP/1.1Host: www.xrrkkv.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /p52w/?EzVH=HuPCDVRb5gPCgfs+KsGybbUQY06juApduLE2c1rWlSgTFZvIk1Y3/4rS/LEpIPKmnRPeXmFAt3PhWeZPsMveRxwVoHCkuksOvW5bBSTXh2rWocoJchyWRV8MyEL466HoQw==&C6FT=2PjX HTTP/1.1Host: www.exhelp.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.rtphajar4d.art
                Source: global trafficDNS traffic detected: DNS query: www.stellaritemvault.shop
                Source: global trafficDNS traffic detected: DNS query: www.kdrqcyusevx.info
                Source: global trafficDNS traffic detected: DNS query: www.mercadoacheaqui.shop
                Source: global trafficDNS traffic detected: DNS query: www.carfie.xyz
                Source: global trafficDNS traffic detected: DNS query: www.lifesentials.life
                Source: global trafficDNS traffic detected: DNS query: www.hotethereum.xyz
                Source: global trafficDNS traffic detected: DNS query: www.iquery.xyz
                Source: global trafficDNS traffic detected: DNS query: www.arwintarim.xyz
                Source: global trafficDNS traffic detected: DNS query: www.irlandesi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.christmas-goods.store
                Source: global trafficDNS traffic detected: DNS query: www.xrrkkv.info
                Source: global trafficDNS traffic detected: DNS query: www.exhelp.xyz
                Source: global trafficDNS traffic detected: DNS query: www.sdwd.wang
                Source: unknownHTTP traffic detected: POST /cmiu/ HTTP/1.1Host: www.stellaritemvault.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeContent-Length: 205Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Origin: http://www.stellaritemvault.shopReferer: http://www.stellaritemvault.shop/cmiu/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.170 Safari/537.36Data Raw: 45 7a 56 48 3d 54 63 67 79 4f 78 38 53 7a 6e 74 38 55 62 56 31 72 66 41 69 39 58 42 48 6a 74 43 79 53 35 46 6f 43 7a 33 6f 2f 71 34 36 37 36 44 6e 59 77 6c 45 6a 58 74 77 71 70 50 51 7a 66 77 64 73 2f 79 35 4a 73 71 66 42 48 38 4f 46 78 35 41 46 6d 6b 31 33 72 59 6f 32 4f 76 55 6c 5a 74 6a 59 71 47 64 67 62 33 35 53 79 65 4a 63 61 49 34 36 4e 37 39 69 79 43 35 54 77 4e 4b 2b 4a 33 77 6e 72 44 38 38 38 43 6a 4e 64 67 46 41 73 79 51 6a 6c 51 41 5a 76 67 6c 57 38 35 76 44 58 64 6f 2f 77 72 4d 6b 4e 42 4b 41 78 73 4e 46 70 75 76 33 42 70 56 43 66 63 74 30 2f 41 4c 33 73 43 77 34 45 4e 69 41 69 79 45 6f 44 30 3d Data Ascii: EzVH=TcgyOx8Sznt8UbV1rfAi9XBHjtCyS5FoCz3o/q4676DnYwlEjXtwqpPQzfwds/y5JsqfBH8OFx5AFmk13rYo2OvUlZtjYqGdgb35SyeJcaI46N79iyC5TwNK+J3wnrD888CjNdgFAsyQjlQAZvglW85vDXdo/wrMkNBKAxsNFpuv3BpVCfct0/AL3sCw4ENiAiyEoD0=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:33:01 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jLK%2F0bPVefwP7ofLYG903cpIvj2JtYYFhWk8UEc3S3GtYOrJJG57tPtK4k8eg4v27YtETj70862m4WdxE5UYu3pHrvyDgzR27WsqzSROCCUjGMKeJBFGMojN6PGPE32Eaf2%2B2xg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9057548cf9e982ff-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7342&min_rtt=7342&rtt_var=3671&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=483&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:33:16 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:33:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:33:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 21 Jan 2025 12:33:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1181Connection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: "49d-5e8c4bb618b87"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 77 65 62 73 69 74 65 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 2e 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 38 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 20 30 20 32 35 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Tue, 21 Jan 2025 12:33:41 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Tue, 21 Jan 2025 12:33:44 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Tue, 21 Jan 2025 12:33:46 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;;;"accept-ranges: bytescontent-length: 2457date: Tue, 21 Jan 2025 12:33:49 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:34:10 GMTServer: ApacheContent-Length: 4395Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64 65 66 61 75 6c 74 2e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:34:13 GMTServer: ApacheContent-Length: 4395Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64 65 66 61 75 6c 74 2e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:34:16 GMTServer: ApacheContent-Length: 4395Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64 65 66 61 75 6c 74 2e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 12:34:18 GMTServer: ApacheContent-Length: 4395Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64 65 66
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 21 Jan 2025 12:35:01 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-21T12:35:06.3225685Z
                Source: vuSbvvxE2e.exe, 00000013.00000002.4528020185.000000000321E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://fonts.googleapis.com/css?family=Open
                Source: taskkill.exe, 00000011.00000002.4528386273.00000000060BE000.00000004.10000000.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4528020185.000000000321E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://justinmezzell.com
                Source: PO#98540-00.exe, 00000000.00000002.2135508328.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, PO#98540-00.exe, 00000000.00000002.2135508328.0000000002FDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: ZgSwAbBKbQrN.exe, 0000000A.00000002.2341520009.0000000002824000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8
                Source: taskkill.exe, 00000011.00000002.4528386273.00000000060BE000.00000004.10000000.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4528020185.000000000321E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.dzyngiri.com
                Source: vuSbvvxE2e.exe, 00000013.00000002.4529838278.0000000004B4E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sdwd.wang
                Source: vuSbvvxE2e.exe, 00000013.00000002.4529838278.0000000004B4E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sdwd.wang/nkfs/
                Source: taskkill.exe, 00000011.00000002.4530514448.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: taskkill.exe, 00000011.00000002.4530514448.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: taskkill.exe, 00000011.00000002.4530514448.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: taskkill.exe, 00000011.00000002.4530514448.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: taskkill.exe, 00000011.00000002.4530514448.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: taskkill.exe, 00000011.00000002.4530514448.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: taskkill.exe, 00000011.00000002.4530514448.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: taskkill.exe, 00000011.00000002.4528386273.0000000005D9A000.00000004.10000000.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4528020185.0000000002EFA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: taskkill.exe, 00000011.00000002.4526680764.0000000002E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: taskkill.exe, 00000011.00000002.4526680764.0000000002E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: taskkill.exe, 00000011.00000002.4526680764.0000000002E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: taskkill.exe, 00000011.00000002.4526680764.0000000002E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: taskkill.exe, 00000011.00000002.4526680764.0000000002E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: taskkill.exe, 00000011.00000002.4526680764.0000000002E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: taskkill.exe, 00000011.00000003.2697553478.00000000080B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: taskkill.exe, 00000011.00000002.4528386273.0000000005D9A000.00000004.10000000.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4528020185.0000000002EFA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
                Source: taskkill.exe, 00000011.00000002.4530514448.00000000080DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: taskkill.exe, 00000011.00000002.4528386273.0000000005D9A000.00000004.10000000.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4528020185.0000000002EFA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2519092908.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4529838278.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2520025807.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4527638531.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4526508310.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4527575007.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2525382668.0000000001FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4527705273.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: PO#98540-00.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042CE83 NtClose,9_2_0042CE83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040ABEB NtDelayExecution,9_2_0040ABEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040ACB4 NtDelayExecution,9_2_0040ACB4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302B60 NtClose,LdrInitializeThunk,9_2_01302B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_01302DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_01302C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013035C0 NtCreateMutant,LdrInitializeThunk,9_2_013035C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01304340 NtSetContextThread,9_2_01304340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01304650 NtSuspendThread,9_2_01304650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302BA0 NtEnumerateValueKey,9_2_01302BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302B80 NtQueryInformationFile,9_2_01302B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302BF0 NtAllocateVirtualMemory,9_2_01302BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302BE0 NtQueryValueKey,9_2_01302BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302AB0 NtWaitForSingleObject,9_2_01302AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302AF0 NtWriteFile,9_2_01302AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302AD0 NtReadFile,9_2_01302AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302D30 NtUnmapViewOfSection,9_2_01302D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302D10 NtMapViewOfSection,9_2_01302D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302D00 NtSetInformationFile,9_2_01302D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302DB0 NtEnumerateKey,9_2_01302DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302DD0 NtDelayExecution,9_2_01302DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302C00 NtQueryInformationProcess,9_2_01302C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302C60 NtCreateKey,9_2_01302C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302CA0 NtQueryInformationToken,9_2_01302CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302CF0 NtOpenProcess,9_2_01302CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302CC0 NtQueryVirtualMemory,9_2_01302CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302F30 NtCreateSection,9_2_01302F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302F60 NtCreateProcessEx,9_2_01302F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302FB0 NtResumeThread,9_2_01302FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302FA0 NtQuerySection,9_2_01302FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302F90 NtProtectVirtualMemory,9_2_01302F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302FE0 NtCreateFile,9_2_01302FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302E30 NtWriteVirtualMemory,9_2_01302E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302EA0 NtAdjustPrivilegesToken,9_2_01302EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302E80 NtReadVirtualMemory,9_2_01302E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302EE0 NtQueueApcThread,9_2_01302EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01303010 NtOpenDirectoryObject,9_2_01303010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01303090 NtSetValueKey,9_2_01303090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013039B0 NtGetContextThread,9_2_013039B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01303D10 NtOpenProcessToken,9_2_01303D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01303D70 NtOpenThread,9_2_01303D70
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F44650 NtSuspendThread,LdrInitializeThunk,17_2_04F44650
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F44340 NtSetContextThread,LdrInitializeThunk,17_2_04F44340
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42CA0 NtQueryInformationToken,LdrInitializeThunk,17_2_04F42CA0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42C70 NtFreeVirtualMemory,LdrInitializeThunk,17_2_04F42C70
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42C60 NtCreateKey,LdrInitializeThunk,17_2_04F42C60
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42DF0 NtQuerySystemInformation,LdrInitializeThunk,17_2_04F42DF0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42DD0 NtDelayExecution,LdrInitializeThunk,17_2_04F42DD0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42D30 NtUnmapViewOfSection,LdrInitializeThunk,17_2_04F42D30
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42D10 NtMapViewOfSection,LdrInitializeThunk,17_2_04F42D10
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42EE0 NtQueueApcThread,LdrInitializeThunk,17_2_04F42EE0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42FE0 NtCreateFile,LdrInitializeThunk,17_2_04F42FE0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42FB0 NtResumeThread,LdrInitializeThunk,17_2_04F42FB0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42F30 NtCreateSection,LdrInitializeThunk,17_2_04F42F30
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42AF0 NtWriteFile,LdrInitializeThunk,17_2_04F42AF0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42AD0 NtReadFile,LdrInitializeThunk,17_2_04F42AD0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42B60 NtClose,LdrInitializeThunk,17_2_04F42B60
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F435C0 NtCreateMutant,LdrInitializeThunk,17_2_04F435C0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F439B0 NtGetContextThread,LdrInitializeThunk,17_2_04F439B0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42CF0 NtOpenProcess,17_2_04F42CF0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42CC0 NtQueryVirtualMemory,17_2_04F42CC0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42C00 NtQueryInformationProcess,17_2_04F42C00
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42DB0 NtEnumerateKey,17_2_04F42DB0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42D00 NtSetInformationFile,17_2_04F42D00
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42EA0 NtAdjustPrivilegesToken,17_2_04F42EA0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42E80 NtReadVirtualMemory,17_2_04F42E80
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42E30 NtWriteVirtualMemory,17_2_04F42E30
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42FA0 NtQuerySection,17_2_04F42FA0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42F90 NtProtectVirtualMemory,17_2_04F42F90
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42F60 NtCreateProcessEx,17_2_04F42F60
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42AB0 NtWaitForSingleObject,17_2_04F42AB0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42BF0 NtAllocateVirtualMemory,17_2_04F42BF0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42BE0 NtQueryValueKey,17_2_04F42BE0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42BA0 NtEnumerateValueKey,17_2_04F42BA0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F42B80 NtQueryInformationFile,17_2_04F42B80
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F43090 NtSetValueKey,17_2_04F43090
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F43010 NtOpenDirectoryObject,17_2_04F43010
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F43D70 NtOpenThread,17_2_04F43D70
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F43D10 NtOpenProcessToken,17_2_04F43D10
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_02989710 NtCreateFile,17_2_02989710
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_02989A10 NtClose,17_2_02989A10
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_02989880 NtReadFile,17_2_02989880
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_02989970 NtDeleteFile,17_2_02989970
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_012B46680_2_012B4668
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_012B3E300_2_012B3E30
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_012B46580_2_012B4658
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_012B92A80_2_012B92A8
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_05741C700_2_05741C70
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0B6B00_2_06F0B6B0
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F065D80_2_06F065D8
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0B2700_2_06F0B270
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0BC500_2_06F0BC50
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F06D400_2_06F06D40
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0CD180_2_06F0CD18
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F07AF80_2_06F07AF8
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F05AA80_2_06F05AA8
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0DBB00_2_06F0DBB0
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0B6A30_2_06F0B6A3
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0D5C80_2_06F0D5C8
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0D5B80_2_06F0D5B8
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F065BD0_2_06F065BD
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F075880_2_06F07588
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F075780_2_06F07578
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0A5500_2_06F0A550
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0A5400_2_06F0A540
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0C5480_2_06F0C548
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0B2610_2_06F0B261
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0C0980_2_06F0C098
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0C0880_2_06F0C088
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0B0780_2_06F0B078
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0B06B0_2_06F0B06B
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0AE000_2_06F0AE00
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0BC430_2_06F0BC43
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0ADF00_2_06F0ADF0
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F06D310_2_06F06D31
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0CD080_2_06F0CD08
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F07AE80_2_06F07AE8
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F05A980_2_06F05A98
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0ABE00_2_06F0ABE0
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0ABD00_2_06F0ABD0
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0DBA10_2_06F0DBA1
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0B8F80_2_06F0B8F8
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F0B8E80_2_06F0B8E8
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F099A00_2_06F099A0
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F099930_2_06F09993
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00418D639_2_00418D63
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E8279_2_0040E827
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E8339_2_0040E833
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004031F09_2_004031F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00401CC09_2_00401CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004104CA9_2_004104CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004104D39_2_004104D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402CD29_2_00402CD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402CE09_2_00402CE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042F4E39_2_0042F4E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00401CBC9_2_00401CBC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E6E39_2_0040E6E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004106F39_2_004106F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004026B09_2_004026B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00416F5E9_2_00416F5E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00416F639_2_00416F63
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C01009_2_012C0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136A1189_2_0136A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013581589_2_01358158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013901AA9_2_013901AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013841A29_2_013841A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013881CC9_2_013881CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013620009_2_01362000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138A3529_2_0138A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DE3F09_2_012DE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013903E69_2_013903E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013702749_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013502C09_2_013502C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D05359_2_012D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013905919_2_01390591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013744209_2_01374420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013824469_2_01382446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137E4F69_2_0137E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D07709_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F47509_2_012F4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CC7C09_2_012CC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EC6E09_2_012EC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E69629_2_012E6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A09_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0139A9A69_2_0139A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D28409_2_012D2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DA8409_2_012DA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B68B89_2_012B68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE8F09_2_012FE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138AB409_2_0138AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01386BD79_2_01386BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CEA809_2_012CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136CD1F9_2_0136CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DAD009_2_012DAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E8DBF9_2_012E8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CADE09_2_012CADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0C009_2_012D0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370CB59_2_01370CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C0CF29_2_012C0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01372F309_2_01372F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01312F289_2_01312F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F0F309_2_012F0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01344F409_2_01344F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134EFA09_2_0134EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DCFE09_2_012DCFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C2FC89_2_012C2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138EE269_2_0138EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0E599_2_012D0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138CE939_2_0138CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E2E909_2_012E2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138EEDB9_2_0138EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0139B16B9_2_0139B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BF1729_2_012BF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0130516C9_2_0130516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DB1B09_2_012DB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013870E99_2_013870E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138F0E09_2_0138F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D70C09_2_012D70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137F0CC9_2_0137F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138132D9_2_0138132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BD34C9_2_012BD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0131739A9_2_0131739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D52A09_2_012D52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013712ED9_2_013712ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EB2C09_2_012EB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013875719_2_01387571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136D5B09_2_0136D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013995C39_2_013995C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138F43F9_2_0138F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C14609_2_012C1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138F7B09_2_0138F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013156309_2_01315630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013816CC9_2_013816CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013659109_2_01365910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D99509_2_012D9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EB9509_2_012EB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133D8009_2_0133D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D38E09_2_012D38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138FB769_2_0138FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EFB809_2_012EFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01345BF09_2_01345BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0130DBF99_2_0130DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01343A6C9_2_01343A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138FA499_2_0138FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01387A469_2_01387A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01315AA09_2_01315AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01371AA39_2_01371AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136DAAC9_2_0136DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137DAC69_2_0137DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01387D739_2_01387D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01381D5A9_2_01381D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D3D409_2_012D3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EFDC09_2_012EFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01349C329_2_01349C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138FCF29_2_0138FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138FF099_2_0138FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138FFB19_2_0138FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D1F929_2_012D1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01293FD29_2_01293FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01293FD59_2_01293FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D9EB09_2_012D9EB0
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_00DA466810_2_00DA4668
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_00DA3E3010_2_00DA3E30
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_00DA465810_2_00DA4658
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_00DA92A810_2_00DA92A8
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_0595C4A010_2_0595C4A0
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_05951E1010_2_05951E10
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_05956DAF10_2_05956DAF
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_05956DC010_2_05956DC0
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_05954E4010_2_05954E40
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_059549E910_2_059549E9
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_059572BF10_2_059572BF
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_059572D010_2_059572D0
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_05954A0810_2_05954A08
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeCode function: 10_2_0595527810_2_05955278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017F010014_2_017F0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0184600014_2_01846000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_018802C014_2_018802C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180053514_2_01800535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017FC7C014_2_017FC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0182475014_2_01824750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180077014_2_01800770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0181C6E014_2_0181C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_018029A014_2_018029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0181696214_2_01816962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0183889014_2_01838890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0182E8F014_2_0182E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180A84014_2_0180A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180284014_2_01802840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017E68B814_2_017E68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017FEA8014_2_017FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01818DBF14_2_01818DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01808DC014_2_01808DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180AD0014_2_0180AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017FADE014_2_017FADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180ED7A14_2_0180ED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01800C0014_2_01800C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017F0CF214_2_017F0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0187EFA014_2_0187EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01842F2814_2_01842F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01820F3014_2_01820F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017F2FC814_2_017F2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01874F4014_2_01874F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01812E9014_2_01812E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01800E5914_2_01800E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017EF17214_2_017EF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180B1B014_2_0180B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0183516C14_2_0183516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017ED34C14_2_017ED34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_018033F314_2_018033F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_018052A014_2_018052A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0181B2C014_2_0181B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0181D2F014_2_0181D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180349714_2_01803497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017F146014_2_017F1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_018474E014_2_018474E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180B73014_2_0180B730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180599014_2_01805990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0180995014_2_01809950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0181B95014_2_0181B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_018038E014_2_018038E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0186D80014_2_0186D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0181FB8014_2_0181FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01875BF014_2_01875BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0183DBF914_2_0183DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01873A6C14_2_01873A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0181FDC014_2_0181FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01803D4014_2_01803D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01819C2014_2_01819C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01879C3214_2_01879C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01801F9214_2_01801F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01809EB014_2_01809EB0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FBE4F617_2_04FBE4F6
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC244617_2_04FC2446
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FB442017_2_04FB4420
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FD059117_2_04FD0591
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F1053517_2_04F10535
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F2C6E017_2_04F2C6E0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F0C7C017_2_04F0C7C0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F1077017_2_04F10770
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F3475017_2_04F34750
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FA200017_2_04FA2000
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC81CC17_2_04FC81CC
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FD01AA17_2_04FD01AA
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC41A217_2_04FC41A2
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F9815817_2_04F98158
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FAA11817_2_04FAA118
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F0010017_2_04F00100
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F902C017_2_04F902C0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FB027417_2_04FB0274
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F1E3F017_2_04F1E3F0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FD03E617_2_04FD03E6
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCA35217_2_04FCA352
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F00CF217_2_04F00CF2
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FB0CB517_2_04FB0CB5
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F10C0017_2_04F10C00
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F0ADE017_2_04F0ADE0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F28DBF17_2_04F28DBF
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FACD1F17_2_04FACD1F
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F1AD0017_2_04F1AD00
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCEEDB17_2_04FCEEDB
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F22E9017_2_04F22E90
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCCE9317_2_04FCCE93
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F10E5917_2_04F10E59
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCEE2617_2_04FCEE26
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F1CFE017_2_04F1CFE0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F02FC817_2_04F02FC8
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F8EFA017_2_04F8EFA0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F84F4017_2_04F84F40
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F30F3017_2_04F30F30
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FB2F3017_2_04FB2F30
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F52F2817_2_04F52F28
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F3E8F017_2_04F3E8F0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04EF68B817_2_04EF68B8
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F1A84017_2_04F1A840
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F1284017_2_04F12840
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F129A017_2_04F129A0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FDA9A617_2_04FDA9A6
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F2696217_2_04F26962
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F0EA8017_2_04F0EA80
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC6BD717_2_04FC6BD7
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCAB4017_2_04FCAB40
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F0146017_2_04F01460
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCF43F17_2_04FCF43F
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FD95C317_2_04FD95C3
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FAD5B017_2_04FAD5B0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC757117_2_04FC7571
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC16CC17_2_04FC16CC
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F5563017_2_04F55630
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCF7B017_2_04FCF7B0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC70E917_2_04FC70E9
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCF0E017_2_04FCF0E0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F170C017_2_04F170C0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FBF0CC17_2_04FBF0CC
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F1B1B017_2_04F1B1B0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FDB16B17_2_04FDB16B
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F4516C17_2_04F4516C
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04EFF17217_2_04EFF172
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FB12ED17_2_04FB12ED
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F2B2C017_2_04F2B2C0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F152A017_2_04F152A0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F5739A17_2_04F5739A
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04EFD34C17_2_04EFD34C
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC132D17_2_04FC132D
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCFCF217_2_04FCFCF2
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F89C3217_2_04F89C32
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F2FDC017_2_04F2FDC0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC7D7317_2_04FC7D73
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC1D5A17_2_04FC1D5A
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F13D4017_2_04F13D40
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F19EB017_2_04F19EB0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04ED3FD517_2_04ED3FD5
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04ED3FD217_2_04ED3FD2
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCFFB117_2_04FCFFB1
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F11F9217_2_04F11F92
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCFF0917_2_04FCFF09
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F138E017_2_04F138E0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F7D80017_2_04F7D800
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F1995017_2_04F19950
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F2B95017_2_04F2B950
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FA591017_2_04FA5910
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FBDAC617_2_04FBDAC6
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F55AA017_2_04F55AA0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FADAAC17_2_04FADAAC
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FB1AA317_2_04FB1AA3
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F83A6C17_2_04F83A6C
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCFA4917_2_04FCFA49
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FC7A4617_2_04FC7A46
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F85BF017_2_04F85BF0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F4DBF917_2_04F4DBF9
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04F2FB8017_2_04F2FB80
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04FCFB7617_2_04FCFB76
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0297220017_2_02972200
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0298C07017_2_0298C070
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0296D28017_2_0296D280
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0296B27017_2_0296B270
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0296B3B417_2_0296B3B4
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0296B3C017_2_0296B3C0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0296D05717_2_0296D057
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0296D06017_2_0296D060
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_02973AF017_2_02973AF0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_02973AEB17_2_02973AEB
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_029758F017_2_029758F0
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04D1D6E317_2_04D1D6E3
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04D1E65417_2_04D1E654
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04D1D71817_2_04D1D718
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04D1E19817_2_04D1E198
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_04D1E2B417_2_04D1E2B4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0186EA12 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01305130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0133EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01847E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0134F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01317E54 appears 111 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 012BB970 appears 280 times
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: String function: 04F57E54 appears 111 times
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: String function: 04F7EA12 appears 86 times
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: String function: 04EFB970 appears 280 times
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: String function: 04F45130 appears 58 times
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: String function: 04F8F290 appears 105 times
                Source: PO#98540-00.exe, 00000000.00000002.2147174509.000000000B510000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO#98540-00.exe
                Source: PO#98540-00.exe, 00000000.00000002.2139634093.0000000003DB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO#98540-00.exe
                Source: PO#98540-00.exe, 00000000.00000002.2146456348.0000000008F10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PO#98540-00.exe
                Source: PO#98540-00.exe, 00000000.00000002.2127638507.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO#98540-00.exe
                Source: PO#98540-00.exe, 00000000.00000000.2072609105.000000000096A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXQSj.exe@ vs PO#98540-00.exe
                Source: PO#98540-00.exe, 00000000.00000002.2139634093.00000000045D3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO#98540-00.exe
                Source: PO#98540-00.exeBinary or memory string: OriginalFilenameXQSj.exe@ vs PO#98540-00.exe
                Source: PO#98540-00.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PO#98540-00.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: ZgSwAbBKbQrN.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, YYlkFKJWJn4JP87tI1.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, YYlkFKJWJn4JP87tI1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, AWFyS8970v10CSyB3k.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, AWFyS8970v10CSyB3k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, AWFyS8970v10CSyB3k.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, AWFyS8970v10CSyB3k.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, AWFyS8970v10CSyB3k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, AWFyS8970v10CSyB3k.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, YYlkFKJWJn4JP87tI1.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, YYlkFKJWJn4JP87tI1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, YYlkFKJWJn4JP87tI1.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, YYlkFKJWJn4JP87tI1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, AWFyS8970v10CSyB3k.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, AWFyS8970v10CSyB3k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, AWFyS8970v10CSyB3k.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@14/10
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile created: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMutant created: NULL
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMutant created: \Sessions\1\BaseNamedObjects\dGfBffmJFUDHFLPlqbhonmnQH
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2556:120:WilError_03
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8537.tmpJump to behavior
                Source: PO#98540-00.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO#98540-00.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: taskkill.exe, 00000011.00000002.4526680764.0000000002E72000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000011.00000002.4526680764.0000000002EA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PO#98540-00.exeVirustotal: Detection: 30%
                Source: PO#98540-00.exeReversingLabs: Detection: 39%
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile read: C:\Users\user\Desktop\PO#98540-00.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PO#98540-00.exe "C:\Users\user\Desktop\PO#98540-00.exe"
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmpA458.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe"
                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmpA458.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe"
                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\PO#98540-00.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: PO#98540-00.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PO#98540-00.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: PO#98540-00.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: RegSvcs.pdb, source: taskkill.exe, 00000011.00000002.4528386273.00000000054FC000.00000004.10000000.00040000.00000000.sdmp, taskkill.exe, 00000011.00000002.4526680764.0000000002DFD000.00000004.00000020.00020000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4528020185.000000000265C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2805908228.000000003BB4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2520253209.0000000001290000.00000040.00001000.00020000.00000000.sdmp, taskkill.exe, 00000011.00000002.4527943489.0000000004ED0000.00000040.00001000.00020000.00000000.sdmp, taskkill.exe, 00000011.00000003.2519291534.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000011.00000003.2521690247.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000011.00000002.4527943489.000000000506E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2520253209.0000000001290000.00000040.00001000.00020000.00000000.sdmp, taskkill.exe, taskkill.exe, 00000011.00000002.4527943489.0000000004ED0000.00000040.00001000.00020000.00000000.sdmp, taskkill.exe, 00000011.00000003.2519291534.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000011.00000003.2521690247.0000000004D1F000.00000004.00000020.00020000.00000000.sdmp, taskkill.exe, 00000011.00000002.4527943489.000000000506E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: taskkill.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2519503958.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, vuSbvvxE2e.exe, 00000010.00000002.4526791389.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: XQSj.pdbSHA256 source: PO#98540-00.exe, ZgSwAbBKbQrN.exe.0.dr
                Source: Binary string: RegSvcs.pdb source: taskkill.exe, 00000011.00000002.4528386273.00000000054FC000.00000004.10000000.00040000.00000000.sdmp, taskkill.exe, 00000011.00000002.4526680764.0000000002DFD000.00000004.00000020.00020000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4528020185.000000000265C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2805908228.000000003BB4C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: taskkill.pdb source: RegSvcs.exe, 00000009.00000002.2519503958.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, vuSbvvxE2e.exe, 00000010.00000002.4526791389.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: XQSj.pdb source: PO#98540-00.exe, ZgSwAbBKbQrN.exe.0.dr
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vuSbvvxE2e.exe, 00000010.00000002.4527100571.0000000000F4F000.00000002.00000001.01000000.0000000D.sdmp, vuSbvvxE2e.exe, 00000013.00000000.2588781136.0000000000F4F000.00000002.00000001.01000000.0000000D.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.PO#98540-00.exe.3db3de8.4.raw.unpack, MainForm.cs.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PO#98540-00.exe.8f10000.5.raw.unpack, MainForm.cs.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, AWFyS8970v10CSyB3k.cs.Net Code: OQTnEpO2Hj System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, AWFyS8970v10CSyB3k.cs.Net Code: OQTnEpO2Hj System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, AWFyS8970v10CSyB3k.cs.Net Code: OQTnEpO2Hj System.Reflection.Assembly.Load(byte[])
                Source: PO#98540-00.exeStatic PE information: 0xC291F2F0 [Sat Jun 10 18:26:56 2073 UTC]
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_05743DF8 push ss; ret 0_2_05743E07
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F02788 push 0808DBBBh; iretd 0_2_06F0278D
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F04C98 pushfd ; iretd 0_2_06F04CA1
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F05DD3 push ecx; ret 0_2_06F05DD4
                Source: C:\Users\user\Desktop\PO#98540-00.exeCode function: 0_2_06F08812 push es; retf 0_2_06F0881C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040D885 push ebx; retf 9_2_0040D88C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040B950 push ss; ret 9_2_0040B951
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041B2D3 push es; iretd 9_2_0041B2D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00403470 push eax; ret 9_2_00403472
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041848A pushfd ; ret 9_2_0041848B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00416583 push FFFFFFACh; ret 9_2_004165AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00423E43 push es; retf 9_2_00423E66
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041AE40 push esi; ret 9_2_0041AE4E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00416653 push esp; iretd 9_2_00416671
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00411E0A push FFFFFF8Fh; iretd 9_2_00411E13
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00419759 push EA90FA4Bh; ret 9_2_00419766
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00401F14 push es; retf 9_2_00401F16
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00423FB3 push edi; iretd 9_2_00423FBC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0129225F pushad ; ret 9_2_012927F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012927FA pushad ; ret 9_2_012927F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C09AD push ecx; mov dword ptr [esp], ecx9_2_012C09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0129283D push eax; iretd 9_2_01292858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0183C54D pushfd ; ret 14_2_0183C54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0183C9D7 push edi; ret 14_2_0183C9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017F09AD push ecx; mov dword ptr [esp], ecx14_2_017F09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017C1328 push eax; iretd 14_2_017C1369
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_017C1FEC push eax; iretd 14_2_017C1FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01847E99 push ecx; ret 14_2_01847EAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042E347 push FFFFFFCAh; ret 14_2_0042E349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042E322 push esi; retf 14_2_0042E330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042EB2F push esi; ret 14_2_0042EB32
                Source: PO#98540-00.exeStatic PE information: section name: .text entropy: 7.608821435661389
                Source: ZgSwAbBKbQrN.exe.0.drStatic PE information: section name: .text entropy: 7.608821435661389
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, PaEdvYzEHmpfEGptSm.csHigh entropy of concatenated method names: 'tkgb8McJid', 'qSsbJiWsuC', 'Mrgbc7NpJO', 'sr6bZFga5C', 'dNbbjDmghI', 't1VbLDghaZ', 'jRbbCZX1H8', 'ucpbaBs5mB', 'hpCbuAC6KJ', 'xkxb3OZp2r'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, Mo9uokctWA1MWr2Ke2.csHigh entropy of concatenated method names: 'YLc7SF4AZ6', 'DX078qyDQy', 'S5Y7J9w9X0', 'ib47cJoMoo', 'xPT747SYNE', 'oXS7q3jw8L', 'nIn7vMAo9G', 'Sh57Gb7Sb2', 'BBb7yyDPUH', 'hhW7b0TjhL'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, N3T8DHrjCmYqgMUW4O.csHigh entropy of concatenated method names: 'q5tyZfeOSD', 'XsyyjAd5dD', 'wwtymHDMM2', 'OxwyLAe9ws', 'gdSyCByR8y', 'EDbykDU3fd', 'mLiyX8Mqd2', 'KNqylfwbLW', 'IV6yV09KZh', 'gmbyA4atmX'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, f7m384eeGCqVBpj5lA.csHigh entropy of concatenated method names: 'fk6y4EpQfw', 'LYnyvjBskF', 'k77yykebjF', 'xxvyB2Y69t', 'rSkyKayjPE', 'itoyatuEOF', 'Dispose', 'XPpGOnhHWW', 'CyNGfvfN1L', 'yjkG7hbrAh'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, RfgPwSdd1MWdali3rRU.csHigh entropy of concatenated method names: 'B6Wb2NhO6C', 'PfUbzS1v3J', 'SgeBh8590X', 'W7YBdd7YL8', 'HVoBx09gP6', 'Kj2B0k3L1l', 'G6tBnRFA97', 'kH3BDeaRiF', 'yBcBOhEisp', 'L9DBfTgcSV'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, fV76d7ZZGh3cuDbHoS.csHigh entropy of concatenated method names: 'vk5TDb7lD3', 'yXjTfiMsYq', 'UsZTtD9p90', 'cpaTRxNxuy', 'YLrT9KJ5Jf', 'rqPtiT7VHi', 'QsCtg7S8PC', 'rA5teFeDKd', 'HCLtFqYxnw', 'JDUtr4bdeu'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, YYlkFKJWJn4JP87tI1.csHigh entropy of concatenated method names: 'vDAfU4gNVF', 'gZMfo9FW74', 'kBtfwbikbl', 'k9KfsHHygi', 'yrTfiokvV6', 'pygfg4iIEr', 'nPAfeTgFyU', 'TIifFT5SZU', 'qPofrvOiYc', 'fDpf2Yig4r'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, qATmLtwtjg1EjEgJmg.csHigh entropy of concatenated method names: 'ToString', 'teYq6h267R', 'EZuqjXipaI', 'RlpqmX5ADD', 'rbBqLsZWo6', 'QnKqCX0M0u', 'gKTqkQST6A', 'D2gqXTKQfp', 'm1sqlWB3sW', 'lG7qVjASVO'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, JnyC2OUtfw1oTGPHap.csHigh entropy of concatenated method names: 'ko44A6xR0V', 'UdM4H80Atx', 'i6H4Ub1G41', 'uGe4oTx8qI', 'nEY4jNGjuA', 'BpO4mLiKT5', 'uSK4Lk8c8p', 'f6Z4CHbHTQ', 'GF44kGx5SD', 'AMb4X7VPgA'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, xRu2It2AyrBxUPDAp3.csHigh entropy of concatenated method names: 'x94b7BAGLo', 'vESbtQPHLp', 'B9qbTxDmv0', 'd54bRvjCir', 'wmPbyhBpm0', 'UqUb9tsTfK', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, AWFyS8970v10CSyB3k.csHigh entropy of concatenated method names: 'M8q0DxcrDH', 'U450OF4RLl', 'KVS0fUH59f', 'wD307ywFBu', 'NNU0tBcScM', 'b3J0ThnA8n', 'CRg0RL8EJd', 'jUT09bJfIc', 'qXV0Nbc94g', 'XYT0PWiJIa'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, p6dOn2d0cN5YrhkrAfv.csHigh entropy of concatenated method names: 'lVvB2X9Uta', 'ejSBz9tjnb', 'AFPMhMSPbw', 'Pgl1BmwN5TIC3jxyl7N', 'e2DUQqwzHUMaKdgfqwm', 'iYY6XcrQ8AOd3QfNpT7', 'pt5ytErWaZcXrJKQgxV'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, x5mnWfWw6ZUVJVq8Ji.csHigh entropy of concatenated method names: 'AqLt1rnsfc', 'h6PtIblnoo', 'cXG7mZEnrA', 'IHY7LjW9xG', 'RYQ7CqgWnH', 'lkD7kLQ4FG', 'uFw7X4uRjv', 'cue7lBBfET', 'jxX7V2Zruw', 'mPV7Ab2njq'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, iJUUZJkV1UEsHyCA3Y.csHigh entropy of concatenated method names: 'WpxTwcwxq9', 'PtRTsumuvn', 'ExqTiwLah8', 'ToString', 'lNOTgfIuEp', 'vCGTeYqsZf', 'GZP58OC9G2F7F1Q4Nic', 'paShjdCUdnUIBXMouaa', 'f0vAhTCH9USjN3RYwfv', 'NFTyQNCgiXf0TkP46Ay'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, SDFiXnjihpUBjSp4Ix.csHigh entropy of concatenated method names: 'SAgCXWCGo16pJPRwlju', 'tvLyRpCdFWskUQmxpqV', 'D5VXcDCePNSRTRahhEo', 'n4nTGktoaA', 'NNPTyxImjl', 'pShTbYvROT', 'dIiHVbCbci4tThXBxwE', 'SutZQ0CTxOsxOMA7925'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, edn4wWnXeMFepAl52w.csHigh entropy of concatenated method names: 'uX2dRYlkFK', 'FJnd94JP87', 'KtWdPA1MWr', 'YKedQ2u5mn', 'Mq8d4JiOV7', 'Od7dqZGh3c', 'cWK8foSHtQkbZameLf', 'r21OLOxcrOeJOLbn5T', 'IHlddti9GG', 'm5Ad01Ytjn'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, cDaGqkfd68bBgUXqVf.csHigh entropy of concatenated method names: 'Dispose', 'JqVdrBpj5l', 'TWaxj1UfgU', 'BGypeZtWsE', 'Ndpd2MBCef', 'e8cdzQ09wh', 'ProcessDialogKey', 'NQAxh3T8DH', 'HCmxdYqgMU', 'F4OxxaRu2I'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, nESAVCxrK3yxM139fB.csHigh entropy of concatenated method names: 'h9uEqm7xQ', 'gifSq8aHO', 'dH18bvrQG', 'MLeI8Zudo', 'Bs0cvyefQ', 'SarWUEvlm', 'HStFyBBb3rwg1C2SCB', 'NLc5EucdhDessDaWgC', 'CBGGSeESw', 'Xq0bky2V3'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, alTc1RpyRdUqiWABQv.csHigh entropy of concatenated method names: 'uXOYJsFSaL', 'VfFYcOUiN3', 'SOmYZcCI05', 'Uq7Yj3aCQQ', 'lUhYLEHVDp', 'DnlYCwhsph', 'mM3YXjOaqU', 'M1QYlsrtSb', 'yeeYAhMla4', 'VPmY6P5vP5'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, YEmU1ogGP0so4R9hbN.csHigh entropy of concatenated method names: 'JWVvFn15o5', 'DPnv2bO6im', 'IUJGhgd5vX', 'Iq4GdknWt1', 'h9Ov6Ord4L', 'a4svHv5YXZ', 'UVGvpHmGCH', 'vHEvUqiIpl', 'Jc2voATorh', 'RRVvwKABRa'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, BPsReqVOEmmwOhSy7t.csHigh entropy of concatenated method names: 'dM9RuBZQyF', 'wpeR3Y00dN', 'K1KREDeAxG', 'NulRSrZTZa', 'VC0R1MiGBR', 'iITR8oBMHj', 'mpWRIv0pAw', 'LgHRJ5BLR6', 'MHYRcA0Ohs', 'CJ2RWPfiMr'
                Source: 0.2.PO#98540-00.exe.4812788.3.raw.unpack, zE3yxvdnMOS3CkpJeEE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D4PMy5OATN', 'BulMbMKkns', 'GSbMBgbbk1', 'CyKMM47Lpj', 'AnTMKdPOVc', 'VUpM5nZNOK', 'eL4Mam6qKv'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, PaEdvYzEHmpfEGptSm.csHigh entropy of concatenated method names: 'tkgb8McJid', 'qSsbJiWsuC', 'Mrgbc7NpJO', 'sr6bZFga5C', 'dNbbjDmghI', 't1VbLDghaZ', 'jRbbCZX1H8', 'ucpbaBs5mB', 'hpCbuAC6KJ', 'xkxb3OZp2r'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, Mo9uokctWA1MWr2Ke2.csHigh entropy of concatenated method names: 'YLc7SF4AZ6', 'DX078qyDQy', 'S5Y7J9w9X0', 'ib47cJoMoo', 'xPT747SYNE', 'oXS7q3jw8L', 'nIn7vMAo9G', 'Sh57Gb7Sb2', 'BBb7yyDPUH', 'hhW7b0TjhL'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, N3T8DHrjCmYqgMUW4O.csHigh entropy of concatenated method names: 'q5tyZfeOSD', 'XsyyjAd5dD', 'wwtymHDMM2', 'OxwyLAe9ws', 'gdSyCByR8y', 'EDbykDU3fd', 'mLiyX8Mqd2', 'KNqylfwbLW', 'IV6yV09KZh', 'gmbyA4atmX'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, f7m384eeGCqVBpj5lA.csHigh entropy of concatenated method names: 'fk6y4EpQfw', 'LYnyvjBskF', 'k77yykebjF', 'xxvyB2Y69t', 'rSkyKayjPE', 'itoyatuEOF', 'Dispose', 'XPpGOnhHWW', 'CyNGfvfN1L', 'yjkG7hbrAh'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, RfgPwSdd1MWdali3rRU.csHigh entropy of concatenated method names: 'B6Wb2NhO6C', 'PfUbzS1v3J', 'SgeBh8590X', 'W7YBdd7YL8', 'HVoBx09gP6', 'Kj2B0k3L1l', 'G6tBnRFA97', 'kH3BDeaRiF', 'yBcBOhEisp', 'L9DBfTgcSV'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, fV76d7ZZGh3cuDbHoS.csHigh entropy of concatenated method names: 'vk5TDb7lD3', 'yXjTfiMsYq', 'UsZTtD9p90', 'cpaTRxNxuy', 'YLrT9KJ5Jf', 'rqPtiT7VHi', 'QsCtg7S8PC', 'rA5teFeDKd', 'HCLtFqYxnw', 'JDUtr4bdeu'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, YYlkFKJWJn4JP87tI1.csHigh entropy of concatenated method names: 'vDAfU4gNVF', 'gZMfo9FW74', 'kBtfwbikbl', 'k9KfsHHygi', 'yrTfiokvV6', 'pygfg4iIEr', 'nPAfeTgFyU', 'TIifFT5SZU', 'qPofrvOiYc', 'fDpf2Yig4r'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, qATmLtwtjg1EjEgJmg.csHigh entropy of concatenated method names: 'ToString', 'teYq6h267R', 'EZuqjXipaI', 'RlpqmX5ADD', 'rbBqLsZWo6', 'QnKqCX0M0u', 'gKTqkQST6A', 'D2gqXTKQfp', 'm1sqlWB3sW', 'lG7qVjASVO'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, JnyC2OUtfw1oTGPHap.csHigh entropy of concatenated method names: 'ko44A6xR0V', 'UdM4H80Atx', 'i6H4Ub1G41', 'uGe4oTx8qI', 'nEY4jNGjuA', 'BpO4mLiKT5', 'uSK4Lk8c8p', 'f6Z4CHbHTQ', 'GF44kGx5SD', 'AMb4X7VPgA'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, xRu2It2AyrBxUPDAp3.csHigh entropy of concatenated method names: 'x94b7BAGLo', 'vESbtQPHLp', 'B9qbTxDmv0', 'd54bRvjCir', 'wmPbyhBpm0', 'UqUb9tsTfK', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, AWFyS8970v10CSyB3k.csHigh entropy of concatenated method names: 'M8q0DxcrDH', 'U450OF4RLl', 'KVS0fUH59f', 'wD307ywFBu', 'NNU0tBcScM', 'b3J0ThnA8n', 'CRg0RL8EJd', 'jUT09bJfIc', 'qXV0Nbc94g', 'XYT0PWiJIa'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, p6dOn2d0cN5YrhkrAfv.csHigh entropy of concatenated method names: 'lVvB2X9Uta', 'ejSBz9tjnb', 'AFPMhMSPbw', 'Pgl1BmwN5TIC3jxyl7N', 'e2DUQqwzHUMaKdgfqwm', 'iYY6XcrQ8AOd3QfNpT7', 'pt5ytErWaZcXrJKQgxV'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, x5mnWfWw6ZUVJVq8Ji.csHigh entropy of concatenated method names: 'AqLt1rnsfc', 'h6PtIblnoo', 'cXG7mZEnrA', 'IHY7LjW9xG', 'RYQ7CqgWnH', 'lkD7kLQ4FG', 'uFw7X4uRjv', 'cue7lBBfET', 'jxX7V2Zruw', 'mPV7Ab2njq'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, iJUUZJkV1UEsHyCA3Y.csHigh entropy of concatenated method names: 'WpxTwcwxq9', 'PtRTsumuvn', 'ExqTiwLah8', 'ToString', 'lNOTgfIuEp', 'vCGTeYqsZf', 'GZP58OC9G2F7F1Q4Nic', 'paShjdCUdnUIBXMouaa', 'f0vAhTCH9USjN3RYwfv', 'NFTyQNCgiXf0TkP46Ay'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, SDFiXnjihpUBjSp4Ix.csHigh entropy of concatenated method names: 'SAgCXWCGo16pJPRwlju', 'tvLyRpCdFWskUQmxpqV', 'D5VXcDCePNSRTRahhEo', 'n4nTGktoaA', 'NNPTyxImjl', 'pShTbYvROT', 'dIiHVbCbci4tThXBxwE', 'SutZQ0CTxOsxOMA7925'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, edn4wWnXeMFepAl52w.csHigh entropy of concatenated method names: 'uX2dRYlkFK', 'FJnd94JP87', 'KtWdPA1MWr', 'YKedQ2u5mn', 'Mq8d4JiOV7', 'Od7dqZGh3c', 'cWK8foSHtQkbZameLf', 'r21OLOxcrOeJOLbn5T', 'IHlddti9GG', 'm5Ad01Ytjn'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, cDaGqkfd68bBgUXqVf.csHigh entropy of concatenated method names: 'Dispose', 'JqVdrBpj5l', 'TWaxj1UfgU', 'BGypeZtWsE', 'Ndpd2MBCef', 'e8cdzQ09wh', 'ProcessDialogKey', 'NQAxh3T8DH', 'HCmxdYqgMU', 'F4OxxaRu2I'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, nESAVCxrK3yxM139fB.csHigh entropy of concatenated method names: 'h9uEqm7xQ', 'gifSq8aHO', 'dH18bvrQG', 'MLeI8Zudo', 'Bs0cvyefQ', 'SarWUEvlm', 'HStFyBBb3rwg1C2SCB', 'NLc5EucdhDessDaWgC', 'CBGGSeESw', 'Xq0bky2V3'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, alTc1RpyRdUqiWABQv.csHigh entropy of concatenated method names: 'uXOYJsFSaL', 'VfFYcOUiN3', 'SOmYZcCI05', 'Uq7Yj3aCQQ', 'lUhYLEHVDp', 'DnlYCwhsph', 'mM3YXjOaqU', 'M1QYlsrtSb', 'yeeYAhMla4', 'VPmY6P5vP5'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, YEmU1ogGP0so4R9hbN.csHigh entropy of concatenated method names: 'JWVvFn15o5', 'DPnv2bO6im', 'IUJGhgd5vX', 'Iq4GdknWt1', 'h9Ov6Ord4L', 'a4svHv5YXZ', 'UVGvpHmGCH', 'vHEvUqiIpl', 'Jc2voATorh', 'RRVvwKABRa'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, BPsReqVOEmmwOhSy7t.csHigh entropy of concatenated method names: 'dM9RuBZQyF', 'wpeR3Y00dN', 'K1KREDeAxG', 'NulRSrZTZa', 'VC0R1MiGBR', 'iITR8oBMHj', 'mpWRIv0pAw', 'LgHRJ5BLR6', 'MHYRcA0Ohs', 'CJ2RWPfiMr'
                Source: 0.2.PO#98540-00.exe.489d5a8.0.raw.unpack, zE3yxvdnMOS3CkpJeEE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D4PMy5OATN', 'BulMbMKkns', 'GSbMBgbbk1', 'CyKMM47Lpj', 'AnTMKdPOVc', 'VUpM5nZNOK', 'eL4Mam6qKv'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, PaEdvYzEHmpfEGptSm.csHigh entropy of concatenated method names: 'tkgb8McJid', 'qSsbJiWsuC', 'Mrgbc7NpJO', 'sr6bZFga5C', 'dNbbjDmghI', 't1VbLDghaZ', 'jRbbCZX1H8', 'ucpbaBs5mB', 'hpCbuAC6KJ', 'xkxb3OZp2r'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, Mo9uokctWA1MWr2Ke2.csHigh entropy of concatenated method names: 'YLc7SF4AZ6', 'DX078qyDQy', 'S5Y7J9w9X0', 'ib47cJoMoo', 'xPT747SYNE', 'oXS7q3jw8L', 'nIn7vMAo9G', 'Sh57Gb7Sb2', 'BBb7yyDPUH', 'hhW7b0TjhL'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, N3T8DHrjCmYqgMUW4O.csHigh entropy of concatenated method names: 'q5tyZfeOSD', 'XsyyjAd5dD', 'wwtymHDMM2', 'OxwyLAe9ws', 'gdSyCByR8y', 'EDbykDU3fd', 'mLiyX8Mqd2', 'KNqylfwbLW', 'IV6yV09KZh', 'gmbyA4atmX'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, f7m384eeGCqVBpj5lA.csHigh entropy of concatenated method names: 'fk6y4EpQfw', 'LYnyvjBskF', 'k77yykebjF', 'xxvyB2Y69t', 'rSkyKayjPE', 'itoyatuEOF', 'Dispose', 'XPpGOnhHWW', 'CyNGfvfN1L', 'yjkG7hbrAh'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, RfgPwSdd1MWdali3rRU.csHigh entropy of concatenated method names: 'B6Wb2NhO6C', 'PfUbzS1v3J', 'SgeBh8590X', 'W7YBdd7YL8', 'HVoBx09gP6', 'Kj2B0k3L1l', 'G6tBnRFA97', 'kH3BDeaRiF', 'yBcBOhEisp', 'L9DBfTgcSV'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, fV76d7ZZGh3cuDbHoS.csHigh entropy of concatenated method names: 'vk5TDb7lD3', 'yXjTfiMsYq', 'UsZTtD9p90', 'cpaTRxNxuy', 'YLrT9KJ5Jf', 'rqPtiT7VHi', 'QsCtg7S8PC', 'rA5teFeDKd', 'HCLtFqYxnw', 'JDUtr4bdeu'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, YYlkFKJWJn4JP87tI1.csHigh entropy of concatenated method names: 'vDAfU4gNVF', 'gZMfo9FW74', 'kBtfwbikbl', 'k9KfsHHygi', 'yrTfiokvV6', 'pygfg4iIEr', 'nPAfeTgFyU', 'TIifFT5SZU', 'qPofrvOiYc', 'fDpf2Yig4r'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, qATmLtwtjg1EjEgJmg.csHigh entropy of concatenated method names: 'ToString', 'teYq6h267R', 'EZuqjXipaI', 'RlpqmX5ADD', 'rbBqLsZWo6', 'QnKqCX0M0u', 'gKTqkQST6A', 'D2gqXTKQfp', 'm1sqlWB3sW', 'lG7qVjASVO'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, JnyC2OUtfw1oTGPHap.csHigh entropy of concatenated method names: 'ko44A6xR0V', 'UdM4H80Atx', 'i6H4Ub1G41', 'uGe4oTx8qI', 'nEY4jNGjuA', 'BpO4mLiKT5', 'uSK4Lk8c8p', 'f6Z4CHbHTQ', 'GF44kGx5SD', 'AMb4X7VPgA'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, xRu2It2AyrBxUPDAp3.csHigh entropy of concatenated method names: 'x94b7BAGLo', 'vESbtQPHLp', 'B9qbTxDmv0', 'd54bRvjCir', 'wmPbyhBpm0', 'UqUb9tsTfK', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, AWFyS8970v10CSyB3k.csHigh entropy of concatenated method names: 'M8q0DxcrDH', 'U450OF4RLl', 'KVS0fUH59f', 'wD307ywFBu', 'NNU0tBcScM', 'b3J0ThnA8n', 'CRg0RL8EJd', 'jUT09bJfIc', 'qXV0Nbc94g', 'XYT0PWiJIa'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, p6dOn2d0cN5YrhkrAfv.csHigh entropy of concatenated method names: 'lVvB2X9Uta', 'ejSBz9tjnb', 'AFPMhMSPbw', 'Pgl1BmwN5TIC3jxyl7N', 'e2DUQqwzHUMaKdgfqwm', 'iYY6XcrQ8AOd3QfNpT7', 'pt5ytErWaZcXrJKQgxV'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, x5mnWfWw6ZUVJVq8Ji.csHigh entropy of concatenated method names: 'AqLt1rnsfc', 'h6PtIblnoo', 'cXG7mZEnrA', 'IHY7LjW9xG', 'RYQ7CqgWnH', 'lkD7kLQ4FG', 'uFw7X4uRjv', 'cue7lBBfET', 'jxX7V2Zruw', 'mPV7Ab2njq'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, iJUUZJkV1UEsHyCA3Y.csHigh entropy of concatenated method names: 'WpxTwcwxq9', 'PtRTsumuvn', 'ExqTiwLah8', 'ToString', 'lNOTgfIuEp', 'vCGTeYqsZf', 'GZP58OC9G2F7F1Q4Nic', 'paShjdCUdnUIBXMouaa', 'f0vAhTCH9USjN3RYwfv', 'NFTyQNCgiXf0TkP46Ay'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, SDFiXnjihpUBjSp4Ix.csHigh entropy of concatenated method names: 'SAgCXWCGo16pJPRwlju', 'tvLyRpCdFWskUQmxpqV', 'D5VXcDCePNSRTRahhEo', 'n4nTGktoaA', 'NNPTyxImjl', 'pShTbYvROT', 'dIiHVbCbci4tThXBxwE', 'SutZQ0CTxOsxOMA7925'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, edn4wWnXeMFepAl52w.csHigh entropy of concatenated method names: 'uX2dRYlkFK', 'FJnd94JP87', 'KtWdPA1MWr', 'YKedQ2u5mn', 'Mq8d4JiOV7', 'Od7dqZGh3c', 'cWK8foSHtQkbZameLf', 'r21OLOxcrOeJOLbn5T', 'IHlddti9GG', 'm5Ad01Ytjn'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, cDaGqkfd68bBgUXqVf.csHigh entropy of concatenated method names: 'Dispose', 'JqVdrBpj5l', 'TWaxj1UfgU', 'BGypeZtWsE', 'Ndpd2MBCef', 'e8cdzQ09wh', 'ProcessDialogKey', 'NQAxh3T8DH', 'HCmxdYqgMU', 'F4OxxaRu2I'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, nESAVCxrK3yxM139fB.csHigh entropy of concatenated method names: 'h9uEqm7xQ', 'gifSq8aHO', 'dH18bvrQG', 'MLeI8Zudo', 'Bs0cvyefQ', 'SarWUEvlm', 'HStFyBBb3rwg1C2SCB', 'NLc5EucdhDessDaWgC', 'CBGGSeESw', 'Xq0bky2V3'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, alTc1RpyRdUqiWABQv.csHigh entropy of concatenated method names: 'uXOYJsFSaL', 'VfFYcOUiN3', 'SOmYZcCI05', 'Uq7Yj3aCQQ', 'lUhYLEHVDp', 'DnlYCwhsph', 'mM3YXjOaqU', 'M1QYlsrtSb', 'yeeYAhMla4', 'VPmY6P5vP5'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, YEmU1ogGP0so4R9hbN.csHigh entropy of concatenated method names: 'JWVvFn15o5', 'DPnv2bO6im', 'IUJGhgd5vX', 'Iq4GdknWt1', 'h9Ov6Ord4L', 'a4svHv5YXZ', 'UVGvpHmGCH', 'vHEvUqiIpl', 'Jc2voATorh', 'RRVvwKABRa'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, BPsReqVOEmmwOhSy7t.csHigh entropy of concatenated method names: 'dM9RuBZQyF', 'wpeR3Y00dN', 'K1KREDeAxG', 'NulRSrZTZa', 'VC0R1MiGBR', 'iITR8oBMHj', 'mpWRIv0pAw', 'LgHRJ5BLR6', 'MHYRcA0Ohs', 'CJ2RWPfiMr'
                Source: 0.2.PO#98540-00.exe.b510000.6.raw.unpack, zE3yxvdnMOS3CkpJeEE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D4PMy5OATN', 'BulMbMKkns', 'GSbMBgbbk1', 'CyKMM47Lpj', 'AnTMKdPOVc', 'VUpM5nZNOK', 'eL4Mam6qKv'
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile created: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PO#98540-00.exe PID: 7092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ZgSwAbBKbQrN.exe PID: 7348, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\taskkill.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\taskkill.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\taskkill.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\taskkill.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\taskkill.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\taskkill.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\taskkill.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: 12B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: 8F30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: 7060000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: 9F30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: AF30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: B5A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: C5A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: D5A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: DA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: 83D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: 93D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: 95C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: A5C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: AC80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: BC80000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00416653 rdtsc 9_2_00416653
                Source: C:\Users\user\Desktop\PO#98540-00.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4189Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3435Jump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeWindow / User API: threadDelayed 9674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.2 %
                Source: C:\Windows\SysWOW64\taskkill.exeAPI coverage: 2.4 %
                Source: C:\Users\user\Desktop\PO#98540-00.exe TID: 6508Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe TID: 7512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exe TID: 8036Thread sleep count: 298 > 30
                Source: C:\Windows\SysWOW64\taskkill.exe TID: 8036Thread sleep time: -596000s >= -30000s
                Source: C:\Windows\SysWOW64\taskkill.exe TID: 8036Thread sleep count: 9674 > 30
                Source: C:\Windows\SysWOW64\taskkill.exe TID: 8036Thread sleep time: -19348000s >= -30000s
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exe TID: 8060Thread sleep time: -75000s >= -30000s
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exe TID: 8060Thread sleep count: 37 > 30
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exe TID: 8060Thread sleep time: -55500s >= -30000s
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exe TID: 8060Thread sleep count: 36 > 30
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exe TID: 8060Thread sleep time: -36000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\taskkill.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\taskkill.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\taskkill.exeCode function: 17_2_0297CB30 FindFirstFileW,FindNextFileW,FindClose,17_2_0297CB30
                Source: C:\Users\user\Desktop\PO#98540-00.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                Source: 21OG57P.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: 21OG57P.17.drBinary or memory string: discord.comVMware20,11696428655f
                Source: 21OG57P.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: 21OG57P.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: 21OG57P.17.drBinary or memory string: global block list test formVMware20,11696428655
                Source: 21OG57P.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: 21OG57P.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: 21OG57P.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: 21OG57P.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: 21OG57P.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: 21OG57P.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: 21OG57P.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: 21OG57P.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: 21OG57P.17.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: 21OG57P.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: 21OG57P.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: 21OG57P.17.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: 21OG57P.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: 21OG57P.17.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: 21OG57P.17.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: 21OG57P.17.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: 21OG57P.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: 21OG57P.17.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: 21OG57P.17.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: 21OG57P.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: 21OG57P.17.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: 21OG57P.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: vuSbvvxE2e.exe, 00000013.00000002.4527066622.0000000000529000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                Source: taskkill.exe, 00000011.00000002.4526680764.0000000002DFD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
                Source: 21OG57P.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: firefox.exe, 00000014.00000002.2807421998.00000196BBA1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOO1
                Source: 21OG57P.17.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: 21OG57P.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: 21OG57P.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00416653 rdtsc 9_2_00416653
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00417EF3 LdrLoadDll,9_2_00417EF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F0124 mov eax, dword ptr fs:[00000030h]9_2_012F0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01380115 mov eax, dword ptr fs:[00000030h]9_2_01380115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136A118 mov ecx, dword ptr fs:[00000030h]9_2_0136A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136A118 mov eax, dword ptr fs:[00000030h]9_2_0136A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136A118 mov eax, dword ptr fs:[00000030h]9_2_0136A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136A118 mov eax, dword ptr fs:[00000030h]9_2_0136A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov eax, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov ecx, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov eax, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov eax, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov ecx, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov eax, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov eax, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov ecx, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov eax, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E10E mov ecx, dword ptr fs:[00000030h]9_2_0136E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394164 mov eax, dword ptr fs:[00000030h]9_2_01394164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394164 mov eax, dword ptr fs:[00000030h]9_2_01394164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01358158 mov eax, dword ptr fs:[00000030h]9_2_01358158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01354144 mov eax, dword ptr fs:[00000030h]9_2_01354144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01354144 mov eax, dword ptr fs:[00000030h]9_2_01354144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01354144 mov ecx, dword ptr fs:[00000030h]9_2_01354144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01354144 mov eax, dword ptr fs:[00000030h]9_2_01354144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01354144 mov eax, dword ptr fs:[00000030h]9_2_01354144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6154 mov eax, dword ptr fs:[00000030h]9_2_012C6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6154 mov eax, dword ptr fs:[00000030h]9_2_012C6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BC156 mov eax, dword ptr fs:[00000030h]9_2_012BC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134019F mov eax, dword ptr fs:[00000030h]9_2_0134019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134019F mov eax, dword ptr fs:[00000030h]9_2_0134019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134019F mov eax, dword ptr fs:[00000030h]9_2_0134019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134019F mov eax, dword ptr fs:[00000030h]9_2_0134019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01300185 mov eax, dword ptr fs:[00000030h]9_2_01300185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01364180 mov eax, dword ptr fs:[00000030h]9_2_01364180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01364180 mov eax, dword ptr fs:[00000030h]9_2_01364180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BA197 mov eax, dword ptr fs:[00000030h]9_2_012BA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BA197 mov eax, dword ptr fs:[00000030h]9_2_012BA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BA197 mov eax, dword ptr fs:[00000030h]9_2_012BA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137C188 mov eax, dword ptr fs:[00000030h]9_2_0137C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137C188 mov eax, dword ptr fs:[00000030h]9_2_0137C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F01F8 mov eax, dword ptr fs:[00000030h]9_2_012F01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013961E5 mov eax, dword ptr fs:[00000030h]9_2_013961E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E1D0 mov eax, dword ptr fs:[00000030h]9_2_0133E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E1D0 mov eax, dword ptr fs:[00000030h]9_2_0133E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E1D0 mov ecx, dword ptr fs:[00000030h]9_2_0133E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E1D0 mov eax, dword ptr fs:[00000030h]9_2_0133E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E1D0 mov eax, dword ptr fs:[00000030h]9_2_0133E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013861C3 mov eax, dword ptr fs:[00000030h]9_2_013861C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013861C3 mov eax, dword ptr fs:[00000030h]9_2_013861C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01356030 mov eax, dword ptr fs:[00000030h]9_2_01356030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BA020 mov eax, dword ptr fs:[00000030h]9_2_012BA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BC020 mov eax, dword ptr fs:[00000030h]9_2_012BC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01344000 mov ecx, dword ptr fs:[00000030h]9_2_01344000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01362000 mov eax, dword ptr fs:[00000030h]9_2_01362000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01362000 mov eax, dword ptr fs:[00000030h]9_2_01362000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01362000 mov eax, dword ptr fs:[00000030h]9_2_01362000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01362000 mov eax, dword ptr fs:[00000030h]9_2_01362000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01362000 mov eax, dword ptr fs:[00000030h]9_2_01362000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01362000 mov eax, dword ptr fs:[00000030h]9_2_01362000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01362000 mov eax, dword ptr fs:[00000030h]9_2_01362000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01362000 mov eax, dword ptr fs:[00000030h]9_2_01362000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DE016 mov eax, dword ptr fs:[00000030h]9_2_012DE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DE016 mov eax, dword ptr fs:[00000030h]9_2_012DE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DE016 mov eax, dword ptr fs:[00000030h]9_2_012DE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DE016 mov eax, dword ptr fs:[00000030h]9_2_012DE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EC073 mov eax, dword ptr fs:[00000030h]9_2_012EC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01346050 mov eax, dword ptr fs:[00000030h]9_2_01346050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C2050 mov eax, dword ptr fs:[00000030h]9_2_012C2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013860B8 mov eax, dword ptr fs:[00000030h]9_2_013860B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013860B8 mov ecx, dword ptr fs:[00000030h]9_2_013860B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B80A0 mov eax, dword ptr fs:[00000030h]9_2_012B80A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013580A8 mov eax, dword ptr fs:[00000030h]9_2_013580A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C208A mov eax, dword ptr fs:[00000030h]9_2_012C208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013020F0 mov ecx, dword ptr fs:[00000030h]9_2_013020F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C80E9 mov eax, dword ptr fs:[00000030h]9_2_012C80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BA0E3 mov ecx, dword ptr fs:[00000030h]9_2_012BA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013460E0 mov eax, dword ptr fs:[00000030h]9_2_013460E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BC0F0 mov eax, dword ptr fs:[00000030h]9_2_012BC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013420DE mov eax, dword ptr fs:[00000030h]9_2_013420DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01398324 mov eax, dword ptr fs:[00000030h]9_2_01398324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01398324 mov ecx, dword ptr fs:[00000030h]9_2_01398324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01398324 mov eax, dword ptr fs:[00000030h]9_2_01398324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01398324 mov eax, dword ptr fs:[00000030h]9_2_01398324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA30B mov eax, dword ptr fs:[00000030h]9_2_012FA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA30B mov eax, dword ptr fs:[00000030h]9_2_012FA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA30B mov eax, dword ptr fs:[00000030h]9_2_012FA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BC310 mov ecx, dword ptr fs:[00000030h]9_2_012BC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E0310 mov ecx, dword ptr fs:[00000030h]9_2_012E0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136437C mov eax, dword ptr fs:[00000030h]9_2_0136437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01368350 mov ecx, dword ptr fs:[00000030h]9_2_01368350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134035C mov eax, dword ptr fs:[00000030h]9_2_0134035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134035C mov eax, dword ptr fs:[00000030h]9_2_0134035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134035C mov eax, dword ptr fs:[00000030h]9_2_0134035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134035C mov ecx, dword ptr fs:[00000030h]9_2_0134035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134035C mov eax, dword ptr fs:[00000030h]9_2_0134035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134035C mov eax, dword ptr fs:[00000030h]9_2_0134035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138A352 mov eax, dword ptr fs:[00000030h]9_2_0138A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0139634F mov eax, dword ptr fs:[00000030h]9_2_0139634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01342349 mov eax, dword ptr fs:[00000030h]9_2_01342349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E438F mov eax, dword ptr fs:[00000030h]9_2_012E438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E438F mov eax, dword ptr fs:[00000030h]9_2_012E438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BE388 mov eax, dword ptr fs:[00000030h]9_2_012BE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BE388 mov eax, dword ptr fs:[00000030h]9_2_012BE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BE388 mov eax, dword ptr fs:[00000030h]9_2_012BE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B8397 mov eax, dword ptr fs:[00000030h]9_2_012B8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B8397 mov eax, dword ptr fs:[00000030h]9_2_012B8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B8397 mov eax, dword ptr fs:[00000030h]9_2_012B8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D03E9 mov eax, dword ptr fs:[00000030h]9_2_012D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D03E9 mov eax, dword ptr fs:[00000030h]9_2_012D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D03E9 mov eax, dword ptr fs:[00000030h]9_2_012D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D03E9 mov eax, dword ptr fs:[00000030h]9_2_012D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D03E9 mov eax, dword ptr fs:[00000030h]9_2_012D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D03E9 mov eax, dword ptr fs:[00000030h]9_2_012D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D03E9 mov eax, dword ptr fs:[00000030h]9_2_012D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D03E9 mov eax, dword ptr fs:[00000030h]9_2_012D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F63FF mov eax, dword ptr fs:[00000030h]9_2_012F63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DE3F0 mov eax, dword ptr fs:[00000030h]9_2_012DE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DE3F0 mov eax, dword ptr fs:[00000030h]9_2_012DE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DE3F0 mov eax, dword ptr fs:[00000030h]9_2_012DE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013643D4 mov eax, dword ptr fs:[00000030h]9_2_013643D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013643D4 mov eax, dword ptr fs:[00000030h]9_2_013643D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA3C0 mov eax, dword ptr fs:[00000030h]9_2_012CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA3C0 mov eax, dword ptr fs:[00000030h]9_2_012CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA3C0 mov eax, dword ptr fs:[00000030h]9_2_012CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA3C0 mov eax, dword ptr fs:[00000030h]9_2_012CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA3C0 mov eax, dword ptr fs:[00000030h]9_2_012CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA3C0 mov eax, dword ptr fs:[00000030h]9_2_012CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C83C0 mov eax, dword ptr fs:[00000030h]9_2_012C83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C83C0 mov eax, dword ptr fs:[00000030h]9_2_012C83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C83C0 mov eax, dword ptr fs:[00000030h]9_2_012C83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C83C0 mov eax, dword ptr fs:[00000030h]9_2_012C83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E3DB mov eax, dword ptr fs:[00000030h]9_2_0136E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E3DB mov eax, dword ptr fs:[00000030h]9_2_0136E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E3DB mov ecx, dword ptr fs:[00000030h]9_2_0136E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136E3DB mov eax, dword ptr fs:[00000030h]9_2_0136E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013463C0 mov eax, dword ptr fs:[00000030h]9_2_013463C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137C3CD mov eax, dword ptr fs:[00000030h]9_2_0137C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B823B mov eax, dword ptr fs:[00000030h]9_2_012B823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B826B mov eax, dword ptr fs:[00000030h]9_2_012B826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01370274 mov eax, dword ptr fs:[00000030h]9_2_01370274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C4260 mov eax, dword ptr fs:[00000030h]9_2_012C4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C4260 mov eax, dword ptr fs:[00000030h]9_2_012C4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C4260 mov eax, dword ptr fs:[00000030h]9_2_012C4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0139625D mov eax, dword ptr fs:[00000030h]9_2_0139625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137A250 mov eax, dword ptr fs:[00000030h]9_2_0137A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137A250 mov eax, dword ptr fs:[00000030h]9_2_0137A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6259 mov eax, dword ptr fs:[00000030h]9_2_012C6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01348243 mov eax, dword ptr fs:[00000030h]9_2_01348243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01348243 mov ecx, dword ptr fs:[00000030h]9_2_01348243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BA250 mov eax, dword ptr fs:[00000030h]9_2_012BA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D02A0 mov eax, dword ptr fs:[00000030h]9_2_012D02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D02A0 mov eax, dword ptr fs:[00000030h]9_2_012D02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013562A0 mov eax, dword ptr fs:[00000030h]9_2_013562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013562A0 mov ecx, dword ptr fs:[00000030h]9_2_013562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013562A0 mov eax, dword ptr fs:[00000030h]9_2_013562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013562A0 mov eax, dword ptr fs:[00000030h]9_2_013562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013562A0 mov eax, dword ptr fs:[00000030h]9_2_013562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013562A0 mov eax, dword ptr fs:[00000030h]9_2_013562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE284 mov eax, dword ptr fs:[00000030h]9_2_012FE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE284 mov eax, dword ptr fs:[00000030h]9_2_012FE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01340283 mov eax, dword ptr fs:[00000030h]9_2_01340283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01340283 mov eax, dword ptr fs:[00000030h]9_2_01340283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01340283 mov eax, dword ptr fs:[00000030h]9_2_01340283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D02E1 mov eax, dword ptr fs:[00000030h]9_2_012D02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D02E1 mov eax, dword ptr fs:[00000030h]9_2_012D02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D02E1 mov eax, dword ptr fs:[00000030h]9_2_012D02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA2C3 mov eax, dword ptr fs:[00000030h]9_2_012CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA2C3 mov eax, dword ptr fs:[00000030h]9_2_012CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA2C3 mov eax, dword ptr fs:[00000030h]9_2_012CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA2C3 mov eax, dword ptr fs:[00000030h]9_2_012CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA2C3 mov eax, dword ptr fs:[00000030h]9_2_012CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013962D6 mov eax, dword ptr fs:[00000030h]9_2_013962D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE53E mov eax, dword ptr fs:[00000030h]9_2_012EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE53E mov eax, dword ptr fs:[00000030h]9_2_012EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE53E mov eax, dword ptr fs:[00000030h]9_2_012EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE53E mov eax, dword ptr fs:[00000030h]9_2_012EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE53E mov eax, dword ptr fs:[00000030h]9_2_012EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0535 mov eax, dword ptr fs:[00000030h]9_2_012D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0535 mov eax, dword ptr fs:[00000030h]9_2_012D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0535 mov eax, dword ptr fs:[00000030h]9_2_012D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0535 mov eax, dword ptr fs:[00000030h]9_2_012D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0535 mov eax, dword ptr fs:[00000030h]9_2_012D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0535 mov eax, dword ptr fs:[00000030h]9_2_012D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01356500 mov eax, dword ptr fs:[00000030h]9_2_01356500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394500 mov eax, dword ptr fs:[00000030h]9_2_01394500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394500 mov eax, dword ptr fs:[00000030h]9_2_01394500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394500 mov eax, dword ptr fs:[00000030h]9_2_01394500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394500 mov eax, dword ptr fs:[00000030h]9_2_01394500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394500 mov eax, dword ptr fs:[00000030h]9_2_01394500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394500 mov eax, dword ptr fs:[00000030h]9_2_01394500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394500 mov eax, dword ptr fs:[00000030h]9_2_01394500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F656A mov eax, dword ptr fs:[00000030h]9_2_012F656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F656A mov eax, dword ptr fs:[00000030h]9_2_012F656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F656A mov eax, dword ptr fs:[00000030h]9_2_012F656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C8550 mov eax, dword ptr fs:[00000030h]9_2_012C8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C8550 mov eax, dword ptr fs:[00000030h]9_2_012C8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013405A7 mov eax, dword ptr fs:[00000030h]9_2_013405A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013405A7 mov eax, dword ptr fs:[00000030h]9_2_013405A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013405A7 mov eax, dword ptr fs:[00000030h]9_2_013405A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E45B1 mov eax, dword ptr fs:[00000030h]9_2_012E45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E45B1 mov eax, dword ptr fs:[00000030h]9_2_012E45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F4588 mov eax, dword ptr fs:[00000030h]9_2_012F4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C2582 mov eax, dword ptr fs:[00000030h]9_2_012C2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C2582 mov ecx, dword ptr fs:[00000030h]9_2_012C2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE59C mov eax, dword ptr fs:[00000030h]9_2_012FE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FC5ED mov eax, dword ptr fs:[00000030h]9_2_012FC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FC5ED mov eax, dword ptr fs:[00000030h]9_2_012FC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE5E7 mov eax, dword ptr fs:[00000030h]9_2_012EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE5E7 mov eax, dword ptr fs:[00000030h]9_2_012EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE5E7 mov eax, dword ptr fs:[00000030h]9_2_012EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE5E7 mov eax, dword ptr fs:[00000030h]9_2_012EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE5E7 mov eax, dword ptr fs:[00000030h]9_2_012EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE5E7 mov eax, dword ptr fs:[00000030h]9_2_012EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE5E7 mov eax, dword ptr fs:[00000030h]9_2_012EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE5E7 mov eax, dword ptr fs:[00000030h]9_2_012EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C25E0 mov eax, dword ptr fs:[00000030h]9_2_012C25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE5CF mov eax, dword ptr fs:[00000030h]9_2_012FE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE5CF mov eax, dword ptr fs:[00000030h]9_2_012FE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C65D0 mov eax, dword ptr fs:[00000030h]9_2_012C65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA5D0 mov eax, dword ptr fs:[00000030h]9_2_012FA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA5D0 mov eax, dword ptr fs:[00000030h]9_2_012FA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BE420 mov eax, dword ptr fs:[00000030h]9_2_012BE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BE420 mov eax, dword ptr fs:[00000030h]9_2_012BE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BE420 mov eax, dword ptr fs:[00000030h]9_2_012BE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BC427 mov eax, dword ptr fs:[00000030h]9_2_012BC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01346420 mov eax, dword ptr fs:[00000030h]9_2_01346420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01346420 mov eax, dword ptr fs:[00000030h]9_2_01346420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01346420 mov eax, dword ptr fs:[00000030h]9_2_01346420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01346420 mov eax, dword ptr fs:[00000030h]9_2_01346420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01346420 mov eax, dword ptr fs:[00000030h]9_2_01346420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01346420 mov eax, dword ptr fs:[00000030h]9_2_01346420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01346420 mov eax, dword ptr fs:[00000030h]9_2_01346420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA430 mov eax, dword ptr fs:[00000030h]9_2_012FA430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F8402 mov eax, dword ptr fs:[00000030h]9_2_012F8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F8402 mov eax, dword ptr fs:[00000030h]9_2_012F8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F8402 mov eax, dword ptr fs:[00000030h]9_2_012F8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134C460 mov ecx, dword ptr fs:[00000030h]9_2_0134C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EA470 mov eax, dword ptr fs:[00000030h]9_2_012EA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EA470 mov eax, dword ptr fs:[00000030h]9_2_012EA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EA470 mov eax, dword ptr fs:[00000030h]9_2_012EA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137A456 mov eax, dword ptr fs:[00000030h]9_2_0137A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE443 mov eax, dword ptr fs:[00000030h]9_2_012FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE443 mov eax, dword ptr fs:[00000030h]9_2_012FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE443 mov eax, dword ptr fs:[00000030h]9_2_012FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE443 mov eax, dword ptr fs:[00000030h]9_2_012FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE443 mov eax, dword ptr fs:[00000030h]9_2_012FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE443 mov eax, dword ptr fs:[00000030h]9_2_012FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE443 mov eax, dword ptr fs:[00000030h]9_2_012FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FE443 mov eax, dword ptr fs:[00000030h]9_2_012FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E245A mov eax, dword ptr fs:[00000030h]9_2_012E245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B645D mov eax, dword ptr fs:[00000030h]9_2_012B645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134A4B0 mov eax, dword ptr fs:[00000030h]9_2_0134A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C64AB mov eax, dword ptr fs:[00000030h]9_2_012C64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F44B0 mov ecx, dword ptr fs:[00000030h]9_2_012F44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0137A49A mov eax, dword ptr fs:[00000030h]9_2_0137A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C04E5 mov ecx, dword ptr fs:[00000030h]9_2_012C04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133C730 mov eax, dword ptr fs:[00000030h]9_2_0133C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FC720 mov eax, dword ptr fs:[00000030h]9_2_012FC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FC720 mov eax, dword ptr fs:[00000030h]9_2_012FC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F273C mov eax, dword ptr fs:[00000030h]9_2_012F273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F273C mov ecx, dword ptr fs:[00000030h]9_2_012F273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F273C mov eax, dword ptr fs:[00000030h]9_2_012F273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FC700 mov eax, dword ptr fs:[00000030h]9_2_012FC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C0710 mov eax, dword ptr fs:[00000030h]9_2_012C0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F0710 mov eax, dword ptr fs:[00000030h]9_2_012F0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C8770 mov eax, dword ptr fs:[00000030h]9_2_012C8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0770 mov eax, dword ptr fs:[00000030h]9_2_012D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302750 mov eax, dword ptr fs:[00000030h]9_2_01302750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302750 mov eax, dword ptr fs:[00000030h]9_2_01302750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01344755 mov eax, dword ptr fs:[00000030h]9_2_01344755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F674D mov esi, dword ptr fs:[00000030h]9_2_012F674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F674D mov eax, dword ptr fs:[00000030h]9_2_012F674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F674D mov eax, dword ptr fs:[00000030h]9_2_012F674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134E75D mov eax, dword ptr fs:[00000030h]9_2_0134E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C0750 mov eax, dword ptr fs:[00000030h]9_2_012C0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C07AF mov eax, dword ptr fs:[00000030h]9_2_012C07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013747A0 mov eax, dword ptr fs:[00000030h]9_2_013747A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136678E mov eax, dword ptr fs:[00000030h]9_2_0136678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E27ED mov eax, dword ptr fs:[00000030h]9_2_012E27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E27ED mov eax, dword ptr fs:[00000030h]9_2_012E27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E27ED mov eax, dword ptr fs:[00000030h]9_2_012E27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134E7E1 mov eax, dword ptr fs:[00000030h]9_2_0134E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C47FB mov eax, dword ptr fs:[00000030h]9_2_012C47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C47FB mov eax, dword ptr fs:[00000030h]9_2_012C47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CC7C0 mov eax, dword ptr fs:[00000030h]9_2_012CC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013407C3 mov eax, dword ptr fs:[00000030h]9_2_013407C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C262C mov eax, dword ptr fs:[00000030h]9_2_012C262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DE627 mov eax, dword ptr fs:[00000030h]9_2_012DE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F6620 mov eax, dword ptr fs:[00000030h]9_2_012F6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F8620 mov eax, dword ptr fs:[00000030h]9_2_012F8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D260B mov eax, dword ptr fs:[00000030h]9_2_012D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D260B mov eax, dword ptr fs:[00000030h]9_2_012D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D260B mov eax, dword ptr fs:[00000030h]9_2_012D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D260B mov eax, dword ptr fs:[00000030h]9_2_012D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D260B mov eax, dword ptr fs:[00000030h]9_2_012D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D260B mov eax, dword ptr fs:[00000030h]9_2_012D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D260B mov eax, dword ptr fs:[00000030h]9_2_012D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01302619 mov eax, dword ptr fs:[00000030h]9_2_01302619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E609 mov eax, dword ptr fs:[00000030h]9_2_0133E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA660 mov eax, dword ptr fs:[00000030h]9_2_012FA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA660 mov eax, dword ptr fs:[00000030h]9_2_012FA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138866E mov eax, dword ptr fs:[00000030h]9_2_0138866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138866E mov eax, dword ptr fs:[00000030h]9_2_0138866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F2674 mov eax, dword ptr fs:[00000030h]9_2_012F2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012DC640 mov eax, dword ptr fs:[00000030h]9_2_012DC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FC6A6 mov eax, dword ptr fs:[00000030h]9_2_012FC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F66B0 mov eax, dword ptr fs:[00000030h]9_2_012F66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C4690 mov eax, dword ptr fs:[00000030h]9_2_012C4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C4690 mov eax, dword ptr fs:[00000030h]9_2_012C4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E6F2 mov eax, dword ptr fs:[00000030h]9_2_0133E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E6F2 mov eax, dword ptr fs:[00000030h]9_2_0133E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E6F2 mov eax, dword ptr fs:[00000030h]9_2_0133E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E6F2 mov eax, dword ptr fs:[00000030h]9_2_0133E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013406F1 mov eax, dword ptr fs:[00000030h]9_2_013406F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013406F1 mov eax, dword ptr fs:[00000030h]9_2_013406F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA6C7 mov ebx, dword ptr fs:[00000030h]9_2_012FA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA6C7 mov eax, dword ptr fs:[00000030h]9_2_012FA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134892A mov eax, dword ptr fs:[00000030h]9_2_0134892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0135892B mov eax, dword ptr fs:[00000030h]9_2_0135892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134C912 mov eax, dword ptr fs:[00000030h]9_2_0134C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B8918 mov eax, dword ptr fs:[00000030h]9_2_012B8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B8918 mov eax, dword ptr fs:[00000030h]9_2_012B8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E908 mov eax, dword ptr fs:[00000030h]9_2_0133E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133E908 mov eax, dword ptr fs:[00000030h]9_2_0133E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134C97C mov eax, dword ptr fs:[00000030h]9_2_0134C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E6962 mov eax, dword ptr fs:[00000030h]9_2_012E6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E6962 mov eax, dword ptr fs:[00000030h]9_2_012E6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E6962 mov eax, dword ptr fs:[00000030h]9_2_012E6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01364978 mov eax, dword ptr fs:[00000030h]9_2_01364978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01364978 mov eax, dword ptr fs:[00000030h]9_2_01364978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0130096E mov eax, dword ptr fs:[00000030h]9_2_0130096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0130096E mov edx, dword ptr fs:[00000030h]9_2_0130096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0130096E mov eax, dword ptr fs:[00000030h]9_2_0130096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01340946 mov eax, dword ptr fs:[00000030h]9_2_01340946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394940 mov eax, dword ptr fs:[00000030h]9_2_01394940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C09AD mov eax, dword ptr fs:[00000030h]9_2_012C09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C09AD mov eax, dword ptr fs:[00000030h]9_2_012C09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013489B3 mov esi, dword ptr fs:[00000030h]9_2_013489B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013489B3 mov eax, dword ptr fs:[00000030h]9_2_013489B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013489B3 mov eax, dword ptr fs:[00000030h]9_2_013489B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D29A0 mov eax, dword ptr fs:[00000030h]9_2_012D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134E9E0 mov eax, dword ptr fs:[00000030h]9_2_0134E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F29F9 mov eax, dword ptr fs:[00000030h]9_2_012F29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F29F9 mov eax, dword ptr fs:[00000030h]9_2_012F29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138A9D3 mov eax, dword ptr fs:[00000030h]9_2_0138A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013569C0 mov eax, dword ptr fs:[00000030h]9_2_013569C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA9D0 mov eax, dword ptr fs:[00000030h]9_2_012CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA9D0 mov eax, dword ptr fs:[00000030h]9_2_012CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA9D0 mov eax, dword ptr fs:[00000030h]9_2_012CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA9D0 mov eax, dword ptr fs:[00000030h]9_2_012CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA9D0 mov eax, dword ptr fs:[00000030h]9_2_012CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CA9D0 mov eax, dword ptr fs:[00000030h]9_2_012CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F49D0 mov eax, dword ptr fs:[00000030h]9_2_012F49D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136483A mov eax, dword ptr fs:[00000030h]9_2_0136483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136483A mov eax, dword ptr fs:[00000030h]9_2_0136483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E2835 mov eax, dword ptr fs:[00000030h]9_2_012E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E2835 mov eax, dword ptr fs:[00000030h]9_2_012E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E2835 mov eax, dword ptr fs:[00000030h]9_2_012E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E2835 mov ecx, dword ptr fs:[00000030h]9_2_012E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E2835 mov eax, dword ptr fs:[00000030h]9_2_012E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E2835 mov eax, dword ptr fs:[00000030h]9_2_012E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FA830 mov eax, dword ptr fs:[00000030h]9_2_012FA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134C810 mov eax, dword ptr fs:[00000030h]9_2_0134C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01356870 mov eax, dword ptr fs:[00000030h]9_2_01356870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01356870 mov eax, dword ptr fs:[00000030h]9_2_01356870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134E872 mov eax, dword ptr fs:[00000030h]9_2_0134E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134E872 mov eax, dword ptr fs:[00000030h]9_2_0134E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D2840 mov ecx, dword ptr fs:[00000030h]9_2_012D2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C4859 mov eax, dword ptr fs:[00000030h]9_2_012C4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C4859 mov eax, dword ptr fs:[00000030h]9_2_012C4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012F0854 mov eax, dword ptr fs:[00000030h]9_2_012F0854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134C89D mov eax, dword ptr fs:[00000030h]9_2_0134C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C0887 mov eax, dword ptr fs:[00000030h]9_2_012C0887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FC8F9 mov eax, dword ptr fs:[00000030h]9_2_012FC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FC8F9 mov eax, dword ptr fs:[00000030h]9_2_012FC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138A8E4 mov eax, dword ptr fs:[00000030h]9_2_0138A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EE8C0 mov eax, dword ptr fs:[00000030h]9_2_012EE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_013908C0 mov eax, dword ptr fs:[00000030h]9_2_013908C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EEB20 mov eax, dword ptr fs:[00000030h]9_2_012EEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EEB20 mov eax, dword ptr fs:[00000030h]9_2_012EEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01388B28 mov eax, dword ptr fs:[00000030h]9_2_01388B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01388B28 mov eax, dword ptr fs:[00000030h]9_2_01388B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133EB1D mov eax, dword ptr fs:[00000030h]9_2_0133EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133EB1D mov eax, dword ptr fs:[00000030h]9_2_0133EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133EB1D mov eax, dword ptr fs:[00000030h]9_2_0133EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133EB1D mov eax, dword ptr fs:[00000030h]9_2_0133EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133EB1D mov eax, dword ptr fs:[00000030h]9_2_0133EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133EB1D mov eax, dword ptr fs:[00000030h]9_2_0133EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133EB1D mov eax, dword ptr fs:[00000030h]9_2_0133EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133EB1D mov eax, dword ptr fs:[00000030h]9_2_0133EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133EB1D mov eax, dword ptr fs:[00000030h]9_2_0133EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01394B00 mov eax, dword ptr fs:[00000030h]9_2_01394B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012BCB7E mov eax, dword ptr fs:[00000030h]9_2_012BCB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136EB50 mov eax, dword ptr fs:[00000030h]9_2_0136EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01392B57 mov eax, dword ptr fs:[00000030h]9_2_01392B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01392B57 mov eax, dword ptr fs:[00000030h]9_2_01392B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01392B57 mov eax, dword ptr fs:[00000030h]9_2_01392B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01392B57 mov eax, dword ptr fs:[00000030h]9_2_01392B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01368B42 mov eax, dword ptr fs:[00000030h]9_2_01368B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01356B40 mov eax, dword ptr fs:[00000030h]9_2_01356B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01356B40 mov eax, dword ptr fs:[00000030h]9_2_01356B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0138AB40 mov eax, dword ptr fs:[00000030h]9_2_0138AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012B8B50 mov eax, dword ptr fs:[00000030h]9_2_012B8B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01374B4B mov eax, dword ptr fs:[00000030h]9_2_01374B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01374B4B mov eax, dword ptr fs:[00000030h]9_2_01374B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01374BB0 mov eax, dword ptr fs:[00000030h]9_2_01374BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01374BB0 mov eax, dword ptr fs:[00000030h]9_2_01374BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0BBE mov eax, dword ptr fs:[00000030h]9_2_012D0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0BBE mov eax, dword ptr fs:[00000030h]9_2_012D0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134CBF0 mov eax, dword ptr fs:[00000030h]9_2_0134CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EEBFC mov eax, dword ptr fs:[00000030h]9_2_012EEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C8BF0 mov eax, dword ptr fs:[00000030h]9_2_012C8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C8BF0 mov eax, dword ptr fs:[00000030h]9_2_012C8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C8BF0 mov eax, dword ptr fs:[00000030h]9_2_012C8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C0BCD mov eax, dword ptr fs:[00000030h]9_2_012C0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C0BCD mov eax, dword ptr fs:[00000030h]9_2_012C0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C0BCD mov eax, dword ptr fs:[00000030h]9_2_012C0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E0BCB mov eax, dword ptr fs:[00000030h]9_2_012E0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E0BCB mov eax, dword ptr fs:[00000030h]9_2_012E0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E0BCB mov eax, dword ptr fs:[00000030h]9_2_012E0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136EBD0 mov eax, dword ptr fs:[00000030h]9_2_0136EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012EEA2E mov eax, dword ptr fs:[00000030h]9_2_012EEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FCA24 mov eax, dword ptr fs:[00000030h]9_2_012FCA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FCA38 mov eax, dword ptr fs:[00000030h]9_2_012FCA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E4A35 mov eax, dword ptr fs:[00000030h]9_2_012E4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012E4A35 mov eax, dword ptr fs:[00000030h]9_2_012E4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0134CA11 mov eax, dword ptr fs:[00000030h]9_2_0134CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FCA6F mov eax, dword ptr fs:[00000030h]9_2_012FCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FCA6F mov eax, dword ptr fs:[00000030h]9_2_012FCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012FCA6F mov eax, dword ptr fs:[00000030h]9_2_012FCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133CA72 mov eax, dword ptr fs:[00000030h]9_2_0133CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0133CA72 mov eax, dword ptr fs:[00000030h]9_2_0133CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0136EA60 mov eax, dword ptr fs:[00000030h]9_2_0136EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0A5B mov eax, dword ptr fs:[00000030h]9_2_012D0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012D0A5B mov eax, dword ptr fs:[00000030h]9_2_012D0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6A50 mov eax, dword ptr fs:[00000030h]9_2_012C6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6A50 mov eax, dword ptr fs:[00000030h]9_2_012C6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6A50 mov eax, dword ptr fs:[00000030h]9_2_012C6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6A50 mov eax, dword ptr fs:[00000030h]9_2_012C6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6A50 mov eax, dword ptr fs:[00000030h]9_2_012C6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6A50 mov eax, dword ptr fs:[00000030h]9_2_012C6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C6A50 mov eax, dword ptr fs:[00000030h]9_2_012C6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C8AA0 mov eax, dword ptr fs:[00000030h]9_2_012C8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012C8AA0 mov eax, dword ptr fs:[00000030h]9_2_012C8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01316AA4 mov eax, dword ptr fs:[00000030h]9_2_01316AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CEA80 mov eax, dword ptr fs:[00000030h]9_2_012CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CEA80 mov eax, dword ptr fs:[00000030h]9_2_012CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CEA80 mov eax, dword ptr fs:[00000030h]9_2_012CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CEA80 mov eax, dword ptr fs:[00000030h]9_2_012CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CEA80 mov eax, dword ptr fs:[00000030h]9_2_012CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CEA80 mov eax, dword ptr fs:[00000030h]9_2_012CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CEA80 mov eax, dword ptr fs:[00000030h]9_2_012CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_012CEA80 mov eax, dword ptr fs:[00000030h]9_2_012CEA80
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe"
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe"
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtAllocateVirtualMemory: Direct from: 0x76EF48EC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtQueryAttributesFile: Direct from: 0x76EF2E6C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtQuerySystemInformation: Direct from: 0x76EF48CC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtOpenSection: Direct from: 0x76EF2E0C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtDeviceIoControlFile: Direct from: 0x76EF2AEC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BEC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtQueryInformationToken: Direct from: 0x76EF2CAC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtCreateFile: Direct from: 0x76EF2FEC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtOpenFile: Direct from: 0x76EF2DCC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtTerminateThread: Direct from: 0x76EF2FCC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtOpenKeyEx: Direct from: 0x76EF2B9C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtSetInformationProcess: Direct from: 0x76EF2C5C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtNotifyChangeKey: Direct from: 0x76EF3C2C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtCreateMutant: Direct from: 0x76EF35CC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtResumeThread: Direct from: 0x76EF36AC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtMapViewOfSection: Direct from: 0x76EF2D1C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtTerminateThread: Direct from: 0x76EE7B2E
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtQuerySystemInformation: Direct from: 0x76EF2DFC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtReadFile: Direct from: 0x76EF2ADC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtDelayExecution: Direct from: 0x76EF2DDC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtQueryInformationProcess: Direct from: 0x76EF2C26
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtResumeThread: Direct from: 0x76EF2FBC
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtCreateUserProcess: Direct from: 0x76EF371C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtWriteVirtualMemory: Direct from: 0x76EF490C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtSetInformationThread: Direct from: 0x76EE63F9
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtClose: Direct from: 0x76EF2B6C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtSetInformationThread: Direct from: 0x76EF2B4C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtReadVirtualMemory: Direct from: 0x76EF2E8C
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeNtCreateKey: Direct from: 0x76EF2C6C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\taskkill.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: NULL target: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exe protection: read write
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: NULL target: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\taskkill.exeThread register set: target process: 8124
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\taskkill.exeThread APC queued: target process: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exe
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FCB008Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#98540-00.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmp8537.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgSwAbBKbQrN" /XML "C:\Users\user\AppData\Local\Temp\tmpA458.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe"
                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Program Files (x86)\gLDugtYwZlEUDoeMDhGTxHBtdmwiQAYbbYWyUmAp\vuSbvvxE2e.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe"
                Source: vuSbvvxE2e.exe, 00000010.00000000.2442152875.0000000001561000.00000002.00000001.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000010.00000002.4527388228.0000000001561000.00000002.00000001.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4527945520.0000000000F71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: vuSbvvxE2e.exe, 00000010.00000000.2442152875.0000000001561000.00000002.00000001.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000010.00000002.4527388228.0000000001561000.00000002.00000001.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4527945520.0000000000F71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: vuSbvvxE2e.exe, 00000010.00000000.2442152875.0000000001561000.00000002.00000001.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000010.00000002.4527388228.0000000001561000.00000002.00000001.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4527945520.0000000000F71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: vuSbvvxE2e.exe, 00000010.00000000.2442152875.0000000001561000.00000002.00000001.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000010.00000002.4527388228.0000000001561000.00000002.00000001.00040000.00000000.sdmp, vuSbvvxE2e.exe, 00000013.00000002.4527945520.0000000000F71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\PO#98540-00.exeQueries volume information: C:\Users\user\Desktop\PO#98540-00.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeQueries volume information: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ZgSwAbBKbQrN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO#98540-00.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2519092908.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4529838278.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2520025807.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4527638531.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4526508310.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4527575007.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2525382668.0000000001FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4527705273.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\taskkill.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: C:\Windows\SysWOW64\taskkill.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\taskkill.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\SysWOW64\taskkill.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\taskkill.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\taskkill.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\taskkill.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Source: C:\Windows\SysWOW64\taskkill.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\taskkill.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2519092908.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4529838278.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2520025807.00000000011C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4527638531.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4526508310.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4527575007.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2525382668.0000000001FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4527705273.0000000003620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		111
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets3
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1595909 Sample: PO#98540-00.exe Startdate: 21/01/2025 Architecture: WINDOWS Score: 100 59 www.irlandesi.xyz 2->59 61 www.iquery.xyz 2->61 63 17 other IPs or domains 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 83 7 other signatures 2->83 10 PO#98540-00.exe 7 2->10         started        14 ZgSwAbBKbQrN.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 61->81 process4 file5 51 C:\Users\user\AppData\...\ZgSwAbBKbQrN.exe, PE32 10->51 dropped 53 C:\Users\...\ZgSwAbBKbQrN.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp8537.tmp, XML 10->55 dropped 57 C:\Users\user\AppData\...\PO#98540-00.exe.log, ASCII 10->57 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 10->93 95 Adds a directory exclusion to Windows Defender 10->95 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        97 Multi AV Scanner detection for dropped file 14->97 99 Machine Learning detection for dropped file 14->99 101 Writes to foreign memory regions 14->101 103 2 other signatures 14->103 25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 vuSbvvxE2e.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 105 Found direct / indirect Syscall (likely to bypass EDR) 29->105 42 taskkill.exe 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Modifies the context of a thread in another process (thread injection) 42->89 91 3 other signatures 42->91 45 vuSbvvxE2e.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 www.xrrkkv.info 47.83.1.90, 57855, 57856, 57857 VODANETInternationalIP-BackboneofVodafoneDE United States 45->65 67 mercadoacheaqui.shop 185.173.109.83, 57823, 57824, 57825 TERRATRANSIT-ASDE Germany 45->67 69 8 other IPs or domains 45->69 107 Found direct / indirect Syscall (likely to bypass EDR) 45->107 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.