Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ RFQ-BA-00090303885-xlsx.exe

Overview

General Information

Sample name:RFQ RFQ-BA-00090303885-xlsx.exe
Analysis ID:1608115
MD5:1933e7311ec3e4eaa36accf9ac774af7
SHA1:cdd5e650716a91c884b232c7b776e04373a598b1
SHA256:bad55ab8c4ce39ff171bdbc3c86987d0b3b118aacf2ffcc38af811c739c64716
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RFQ RFQ-BA-00090303885-xlsx.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe" MD5: 1933E7311EC3E4EAA36ACCF9AC774AF7)
    • powershell.exe (PID: 8048 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWLOfOG.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4808 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 8140 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 2460 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • mCMv4ksWR9vP9.exe (PID: 7156 cmdline: "C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\HCIgvr7q3QiRQ.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • MuiUnattend.exe (PID: 7276 cmdline: "C:\Windows\SysWOW64\MuiUnattend.exe" MD5: 3D5B670CE8E58D9434946FDD1325553D)
          • mCMv4ksWR9vP9.exe (PID: 6400 cmdline: "C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\vWhXbEh0JiDdwZ.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 8160 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • dWLOfOG.exe (PID: 5100 cmdline: C:\Users\user\AppData\Roaming\dWLOfOG.exe MD5: 1933E7311EC3E4EAA36ACCF9AC774AF7)
    • schtasks.exe (PID: 7184 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7224 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7244 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7220 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1631596445.0000000001800000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000014.00000002.3771626831.00000000030B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000014.00000002.3759244019.0000000002940000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000015.00000002.3774270647.0000000004E40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000014.00000002.3771561486.0000000003060000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", ParentImage: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe, ParentProcessId: 7724, ParentProcessName: RFQ RFQ-BA-00090303885-xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", ProcessId: 8048, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", ParentImage: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe, ParentProcessId: 7724, ParentProcessName: RFQ RFQ-BA-00090303885-xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", ProcessId: 8048, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\dWLOfOG.exe, ParentImage: C:\Users\user\AppData\Roaming\dWLOfOG.exe, ParentProcessId: 5100, ParentProcessName: dWLOfOG.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF1.tmp", ProcessId: 7184, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", ParentImage: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe, ParentProcessId: 7724, ParentProcessName: RFQ RFQ-BA-00090303885-xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp", ProcessId: 8140, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", ParentImage: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe, ParentProcessId: 7724, ParentProcessName: RFQ RFQ-BA-00090303885-xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", ProcessId: 8048, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe", ParentImage: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe, ParentProcessId: 7724, ParentProcessName: RFQ RFQ-BA-00090303885-xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp", ProcessId: 8140, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T09:07:38.804838+010028554651A Network Trojan was detected192.168.2.749950188.114.97.380TCP
                2025-02-06T09:08:00.407098+010028554651A Network Trojan was detected192.168.2.749984199.59.243.22880TCP
                2025-02-06T09:08:13.864699+010028554651A Network Trojan was detected192.168.2.74998867.223.117.18980TCP
                2025-02-06T09:08:27.356038+010028554651A Network Trojan was detected192.168.2.749992217.160.0.16780TCP
                2025-02-06T09:08:40.965958+010028554651A Network Trojan was detected192.168.2.749996172.67.131.14480TCP
                2025-02-06T09:09:12.111712+010028554651A Network Trojan was detected192.168.2.750000103.42.144.14280TCP
                2025-02-06T09:09:25.674082+010028554651A Network Trojan was detected192.168.2.75000447.254.140.25580TCP
                2025-02-06T09:09:39.666269+010028554651A Network Trojan was detected192.168.2.750008208.91.197.2780TCP
                2025-02-06T09:10:14.032064+010028554651A Network Trojan was detected192.168.2.75001218.163.74.13980TCP
                2025-02-06T09:10:27.398512+010028554651A Network Trojan was detected192.168.2.750016188.114.97.380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T09:07:52.725344+010028554641A Network Trojan was detected192.168.2.749981199.59.243.22880TCP
                2025-02-06T09:07:55.283206+010028554641A Network Trojan was detected192.168.2.749982199.59.243.22880TCP
                2025-02-06T09:07:57.851190+010028554641A Network Trojan was detected192.168.2.749983199.59.243.22880TCP
                2025-02-06T09:08:06.250367+010028554641A Network Trojan was detected192.168.2.74998567.223.117.18980TCP
                2025-02-06T09:08:08.657480+010028554641A Network Trojan was detected192.168.2.74998667.223.117.18980TCP
                2025-02-06T09:08:11.240326+010028554641A Network Trojan was detected192.168.2.74998767.223.117.18980TCP
                2025-02-06T09:08:19.699526+010028554641A Network Trojan was detected192.168.2.749989217.160.0.16780TCP
                2025-02-06T09:08:22.282229+010028554641A Network Trojan was detected192.168.2.749990217.160.0.16780TCP
                2025-02-06T09:08:24.801927+010028554641A Network Trojan was detected192.168.2.749991217.160.0.16780TCP
                2025-02-06T09:08:33.016219+010028554641A Network Trojan was detected192.168.2.749993172.67.131.14480TCP
                2025-02-06T09:08:35.574704+010028554641A Network Trojan was detected192.168.2.749994172.67.131.14480TCP
                2025-02-06T09:08:38.430092+010028554641A Network Trojan was detected192.168.2.749995172.67.131.14480TCP
                2025-02-06T09:09:04.332838+010028554641A Network Trojan was detected192.168.2.749997103.42.144.14280TCP
                2025-02-06T09:09:06.866693+010028554641A Network Trojan was detected192.168.2.749998103.42.144.14280TCP
                2025-02-06T09:09:09.489276+010028554641A Network Trojan was detected192.168.2.749999103.42.144.14280TCP
                2025-02-06T09:09:17.875961+010028554641A Network Trojan was detected192.168.2.75000147.254.140.25580TCP
                2025-02-06T09:09:20.522976+010028554641A Network Trojan was detected192.168.2.75000247.254.140.25580TCP
                2025-02-06T09:09:23.078022+010028554641A Network Trojan was detected192.168.2.75000347.254.140.25580TCP
                2025-02-06T09:09:31.478740+010028554641A Network Trojan was detected192.168.2.750005208.91.197.2780TCP
                2025-02-06T09:09:34.028519+010028554641A Network Trojan was detected192.168.2.750006208.91.197.2780TCP
                2025-02-06T09:09:36.796954+010028554641A Network Trojan was detected192.168.2.750007208.91.197.2780TCP
                2025-02-06T09:09:46.513181+010028554641A Network Trojan was detected192.168.2.75000918.163.74.13980TCP
                2025-02-06T09:09:49.059950+010028554641A Network Trojan was detected192.168.2.75001018.163.74.13980TCP
                2025-02-06T09:09:51.625139+010028554641A Network Trojan was detected192.168.2.75001118.163.74.13980TCP
                2025-02-06T09:10:19.725130+010028554641A Network Trojan was detected192.168.2.750013188.114.97.380TCP
                2025-02-06T09:10:22.282531+010028554641A Network Trojan was detected192.168.2.750014188.114.97.380TCP
                2025-02-06T09:10:24.824184+010028554641A Network Trojan was detected192.168.2.750015188.114.97.380TCP
                2025-02-06T09:10:34.452477+010028554641A Network Trojan was detected192.168.2.750017156.226.63.1380TCP
                2025-02-06T09:10:37.010101+010028554641A Network Trojan was detected192.168.2.750018156.226.63.1380TCP
                2025-02-06T09:10:39.565220+010028554641A Network Trojan was detected192.168.2.750019156.226.63.1380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.odvfr.info/mx4t/?tt0tV=CBM4fganU1nouDP5gq7973XyqJYfY1suj2m0EjSYllKVfylKulo3Q9YCNzkMq41zl0FNatlanjFJI4hqfTeUSRYTdl52uPqj2Vbx4Lr3S7R12z/QO7028Uw1Vb9iZBSymeEuK0ZXeIuJ&VRF=zhb4qAvira URL Cloud: Label: malware
                Source: http://www.odvfr.info/mx4t/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeReversingLabs: Detection: 36%
                Multi AV Scanner detection for submitted file
                Source: RFQ RFQ-BA-00090303885-xlsx.exeVirustotal: Detection: 50%Perma Link
                Source: RFQ RFQ-BA-00090303885-xlsx.exeReversingLabs: Detection: 36%
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1631596445.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3771626831.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3759244019.0000000002940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3774270647.0000000004E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3771561486.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1630090977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.3771790216.0000000002380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1633416834.0000000001CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: RFQ RFQ-BA-00090303885-xlsx.exeJoe Sandbox ML: detected
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RegSvcs.pdb, source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E6E000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3773883190.00000000038EC000.00000004.10000000.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000000.1697991244.0000000002A0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.1932683390.000000001B19C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.1631935110.0000000001870000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3771957310.000000000345E000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3771957310.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000003.1632504765.0000000003110000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000003.1630324082.0000000002F62000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.1631935110.0000000001870000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3771957310.000000000345E000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3771957310.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000003.1632504765.0000000003110000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000003.1630324082.0000000002F62000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: MUIUnattend.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.1630441987.0000000001318000.00000004.00000020.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000003.1569495632.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000002.3765420812.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: MUIUnattend.pdb source: RegSvcs.exe, 0000000A.00000002.1630441987.0000000001318000.00000004.00000020.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000003.1569495632.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000002.3765420812.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E6E000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3773883190.00000000038EC000.00000004.10000000.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000000.1697991244.0000000002A0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.1932683390.000000001B19C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mCMv4ksWR9vP9.exe, 00000013.00000000.1557225315.000000000063F000.00000002.00000001.01000000.0000000E.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3761312801.000000000063F000.00000002.00000001.01000000.0000000E.sdmp
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 4x nop then jmp 077206F0h11_2_07720BB3

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49984 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49950 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 67.223.117.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49993 -> 172.67.131.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49989 -> 217.160.0.167:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50000 -> 103.42.144.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50005 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50001 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 103.42.144.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49985 -> 67.223.117.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50010 -> 18.163.74.139:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50004 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49988 -> 67.223.117.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49981 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 67.223.117.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 217.160.0.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50013 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 103.42.144.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49996 -> 172.67.131.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50003 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50002 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 172.67.131.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50006 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50017 -> 156.226.63.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50011 -> 18.163.74.139:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50012 -> 18.163.74.139:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 217.160.0.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50009 -> 18.163.74.139:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50008 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49992 -> 217.160.0.167:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50016 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49997 -> 103.42.144.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 172.67.131.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50007 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50019 -> 156.226.63.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50015 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50014 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50018 -> 156.226.63.13:80
                Source: Joe Sandbox ViewIP Address: 67.223.117.189 67.223.117.189
                Source: Joe Sandbox ViewIP Address: 217.160.0.167 217.160.0.167
                Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /bdqz/?VRF=zhb4q&tt0tV=3EFwHvl7kAnwrw6cr4YoLmo0KPtW3BBcFs6upFqRoaduv0/9QPc6T3r6HHR+m6eKjCencw550LpZW+YE9P3FjySRe6e7HxDDWkdl7tHNWKoAyOtVl3QAceuYmyyUCCDsLg3u6bKIGTg0 HTTP/1.1Host: www.clzt.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0lb6/?VRF=zhb4q&tt0tV=RsQ2O/vAe7gHsCnGLZJ7WlI729vZ5lfjfmfst51sI9Ho3cPPd3gRP6MYnvqBVSa2zA9t2QCTgOITMaJH0PDGyuVqOjegkSluwR5pwvBteYciiuM+vfo+cQ8G5p4g+5GJOuKDM/v7YjQO HTTP/1.1Host: www.marketyemen.holdingsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /c9gw/?tt0tV=SsunhYVICuYhVrYXF5l0Rze8GVkMgaCZrexMfD2Sd3wSp/7lNUzttLQCA4G0Bl3oW5CVngPV7bcZdzD7vschd+023I8IS2xbV4/pwEtRTPCNT7XcfNa5PmMWJ5rt5vximQKfZWbIMeys&VRF=zhb4q HTTP/1.1Host: www.visionaryb.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2i73/?tt0tV=upwob849MgwLlxGXW4RAkL3N1QiGySBlt+fAe1SpeGkaX6TUtmoM4wbQzfITto/a/mETwjZ65KAHF7SHziDl7V3UHxHv4YId4zYmwnbsPT6dUE7+XOy5lS8rqkd30Ybor38YI6+AF98Q&VRF=zhb4q HTTP/1.1Host: www.nocoma.berlinAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1pei/?tt0tV=2c+e0oB0PhFplG55K8WWH4toHd1C2jXyLcBv9RpMVNHlUIePnpNGQEc4+2n3m/pgL/muBIq7zC9i8mXywURhVmMKZaOXQv03kihVc0IJc3x9uHXVsF3lw+4gdNRjWT2gN5EofFVSqxoT&VRF=zhb4q HTTP/1.1Host: www.jyshe18.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ubi8/?tt0tV=JBBZe45r1zHR61EXYE3jrtmFQAuUsNCUeqnwaHGWry1YCoR5R9C3of6qt1Xeok6JQYepn2uot/lzXpYwprc5Clt6lYx2AyznSMAzI9LXZErzjbRNj3In7h7t3VrLri2re7eMd8keN2Ee&VRF=zhb4q HTTP/1.1Host: www.dffmdogmyftftv2e.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /mx4t/?tt0tV=CBM4fganU1nouDP5gq7973XyqJYfY1suj2m0EjSYllKVfylKulo3Q9YCNzkMq41zl0FNatlanjFJI4hqfTeUSRYTdl52uPqj2Vbx4Lr3S7R12z/QO7028Uw1Vb9iZBSymeEuK0ZXeIuJ&VRF=zhb4q HTTP/1.1Host: www.odvfr.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /7dbs/?VRF=zhb4q&tt0tV=W0h7Mz5I8JUpGlckzU0CyRO1IZxMGX/XDZTxuEzyuvwMy7awh9AyKQ1l+7gQys7+qwgfjGSyzA4c6PFqXyu+2Z8tr05ZAUFhP1pdolMDkXJOnndwG7nsfWU0Hhw+VmnlFiFhzlHp5fw1 HTTP/1.1Host: www.epayassist.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /sm7g/?tt0tV=Jtz03/p5UZ5tFpOO533MTh0AvjsYyoWH9JBFgzvyrp3AhZcd7KCKS2brdbUWY47k6XXD3RVUZb/VZZqKrX74jO/bijq5qtblMF7o1P7PBmygD8iP20anh5tRdx1G3hIYZm2igHKUlB+Z&VRF=zhb4q HTTP/1.1Host: www.fzmmkj.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /bc93/?VRF=zhb4q&tt0tV=ftlEd50ggHfII0WAa2IxPcV6fFP3E2SWADrO90FrZZEco6hHwNKeX6Q8g1Zb9CuiZ1uL8vBBOMjmzZ/8xJemIwwY+aV6oxn6W0L/gnTIWa5JVz0fYcnn++nIqYizfYmI8N29mD8ccIYn HTTP/1.1Host: www.desktitle.homesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.clzt.shop
                Source: global trafficDNS traffic detected: DNS query: www.x3kwqc5tye4vl90y.top
                Source: global trafficDNS traffic detected: DNS query: www.marketyemen.holdings
                Source: global trafficDNS traffic detected: DNS query: www.visionaryb.site
                Source: global trafficDNS traffic detected: DNS query: www.nocoma.berlin
                Source: global trafficDNS traffic detected: DNS query: www.jyshe18.buzz
                Source: global trafficDNS traffic detected: DNS query: www.reynamart.store
                Source: global trafficDNS traffic detected: DNS query: www.nhengtai.net
                Source: global trafficDNS traffic detected: DNS query: www.dffmdogmyftftv2e.cyou
                Source: global trafficDNS traffic detected: DNS query: www.odvfr.info
                Source: global trafficDNS traffic detected: DNS query: www.epayassist.net
                Source: global trafficDNS traffic detected: DNS query: www.fzmmkj.shop
                Source: global trafficDNS traffic detected: DNS query: www.desktitle.homes
                Source: global trafficDNS traffic detected: DNS query: www.wuyyv4tq.top
                Source: unknownHTTP traffic detected: POST /0lb6/ HTTP/1.1Host: www.marketyemen.holdingsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Content-Length: 218Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Origin: http://www.marketyemen.holdingsReferer: http://www.marketyemen.holdings/0lb6/User-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36Data Raw: 74 74 30 74 56 3d 63 75 34 57 4e 49 61 4d 42 2b 41 65 67 30 32 4c 46 59 55 75 57 54 42 39 7a 72 32 6a 32 33 50 4e 56 68 4c 42 31 70 35 31 42 65 4c 67 68 76 58 65 49 57 63 30 54 62 6c 30 68 2f 4f 2b 44 78 50 43 67 79 6b 5a 38 32 65 7a 6e 71 6b 79 5a 4c 63 30 74 2b 50 4a 39 35 4d 63 64 77 66 4c 68 52 42 75 7a 77 31 62 78 74 38 79 64 35 55 70 6a 63 38 36 77 76 39 4c 62 51 56 37 71 6f 6f 7a 39 49 53 41 53 36 69 6c 50 4d 6a 7a 59 69 59 55 42 52 76 56 70 59 77 76 59 33 36 31 55 78 2f 53 6a 4f 39 63 79 34 2b 5a 4b 77 6d 4f 71 64 73 48 51 67 71 51 50 51 70 73 2b 51 44 51 54 56 46 45 41 57 33 41 34 6f 66 6d 70 6b 59 38 69 50 38 4d 6c 33 71 6e 6e 77 3d 3d Data Ascii: tt0tV=cu4WNIaMB+Aeg02LFYUuWTB9zr2j23PNVhLB1p51BeLghvXeIWc0Tbl0h/O+DxPCgykZ82eznqkyZLc0t+PJ95McdwfLhRBuzw1bxt8yd5Upjc86wv9LbQV7qooz9ISAS6ilPMjzYiYUBRvVpYwvY361Ux/SjO9cy4+ZKwmOqdsHQgqQPQps+QDQTVFEAW3A4ofmpkY8iP8Ml3qnnw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:08:06 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:08:08 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:08:11 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:08:13 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 06 Feb 2025 08:09:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B87F28B1F0C3907ABBED5B9B21288297D8FC90C74DD11095CC7452EC500Set-Cookie: _csrf=9d4c9fbcc9ff710b109ec13515d27648ca3e3ce109f70c5da45f509c9dd9a1a9a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22eZFffpZ9BxmAAJjxChlq-OIlG0LYgu8w%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 49 37 7a 30 7a 6a 6c 33 34 6a 6f 33 5a 49 42 6f 52 61 73 31 33 32 37 6a 48 38 58 36 53 47 46 53 2d 4a 31 45 4e 50 73 30 62 45 46 47 35 72 4b 6f 58 77 65 34 41 33 55 63 37 53 6b 45 34 56 2d 6e 4c 59 74 7a 74 4e 63 48 4b 44 36 5f 72 51 68 74 6e 45 46 55 4e 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 06 Feb 2025 08:09:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BB76C087DF8CE7ED2A7B89F1BF1B3AF68FAB4626CD5E36B8C19016DD600Set-Cookie: _csrf=e0d5878287a57ca6f11eb4db11dc46053efd16239faf64f96838e36573fa1f75a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22u_vohRXtVqEggA7v0ZY6JfMM2Inx16Bw%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 39 5a 45 59 2d 2d 75 39 69 6a 77 68 4b 30 7a 6e 31 6c 6a 72 42 7a 49 6f 4a 41 52 64 6a 2d 46 44 6a 66 78 49 37 53 43 50 46 37 61 41 7a 6d 36 55 67 2d 5f 53 53 48 64 61 43 59 43 78 47 64 78 78 41 6e 4a 39 4d 68 66 70 72 41 36 5f 74 53 61 56 45 62 6c 56 77 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 06 Feb 2025 08:09:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BABBD6A3AD581AC36FD1E8BCFEE24E8F55211A971ECD229D4FF4883BC00Set-Cookie: _csrf=fb160b8a04577809a8ae6a220346caf93312f9603d8710b37dac50ce18978b10a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22s7sDxPLWxfcOQzABAj5_1cmnJsvlCBJs%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 35 72 2d 42 4e 6e 5a 4a 35 47 71 38 41 70 70 68 30 33 38 6b 44 63 4f 45 41 67 32 47 66 64 79 44 72 4b 43 63 6f 5a 79 7a 6a 64 57 56 69 50 4a 79 44 68 6d 6f 50 63 52 6b 2d 53 36 43 42 57 56 50 67 75 34 33 55 72 63 65 73 65 33 6d 30 2d 72 4e 33 5f 48 48 70 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 06 Feb 2025 08:09:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B91758D5D00581E5CA17F3D40A02573C028BEAAEBC891BE582A5E352300Set-Cookie: _csrf=8f7e63eceab7424fb9d0847930006756225ee32463fa7e31b01a02edf2137c32a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22GKO0m_lKZr25jS7r-gEqn3LegEWyCNQV%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 72 59 74 44 5f 6a 39 2d 53 31 52 2d 64 46 56 37 2d 67 51 4b 52 77 5f 42 43 72 58 65 46 6e 34 46 46 75 6a 30 69 6c 4f 61 55 76 7a 71 77 41 7a 4f 55 69 45 6e 48 79 51 47 5a 30 36 51 56 7a 30 31 49 71 5a 50 78 4c 41 6c 4d 6d 42 78 72 61 50 7a 45 4e 51 44 71 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:10:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=9c8p7127q3to4bf2i4h4kh03tgpdjepb; expires=Thu, 13-Feb-2025 08:10:19 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5lYP8zAb%2FQMQVyDRcKsFBtAbfS%2B0shnuo2pArixx%2BsxkxK62PC9MXGfucO12D0W%2FxjSZX%2B1OpoKq%2FcLI8k4YLo6oVUu28R88%2Fx%2BwEmAURsDAtVrcU4DhynppE%2FjnaK%2B8%2FbcDYzyd"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9a9bfbe3a8c7b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1801&min_rtt=1801&rtt_var=900&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=748&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 59 dd 8e e3 b6 15 be 9f a7 38 cb 2d 10 0f 60 49 f6 64 76 33 33 6b 39 48 26 1b 20 40 fe d0 4e 90 06 db c5 80 26 8f 2c ce 50 a4 96 a4 ec 71 b2 0b 04 bd e8 13 f4 05 7a 59 f4 26 17 0d d0 a2 c8 4d 9e 60 f2 0a 7d 92 82 94 64 cb 1e db 3b d9 26 28 aa 0b 8b 3a fa ce e1 39 87 e7 87 94 47 0f 3e f8 ec fc e2 ab cf 9f 42 ee 0a 39 3e 18 f9 1b 48 aa Data Ascii: 913Y8-`Idv33k9H& @N&,PqzY&M`}d;&(:9G>B9>H
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:10:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=id9nkunush8tkce809imjru7m9oplnbd; expires=Thu, 13-Feb-2025 08:10:22 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L0M77AjvuSsKbNPNmqEoDhRZs0SNmjt4KaWKAFIEZuNjA7LbV%2Br419PDuOvRFnbpw5D9jHl5IRlsZ9lIiMtZxLBIp9oEB3ar%2BFmDbtZ2vOoygMAcs9ko27BoLmkZFK84CUvLX3%2BK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9a9cfbff28ce9-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1994&min_rtt=1994&rtt_var=997&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=768&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 59 dd 8e e3 b6 15 be 9f a7 38 cb 2d 10 0f 60 49 f6 64 76 33 33 6b 39 48 26 1b 20 40 fe d0 4e 90 06 db c5 80 26 8f 2c ce 50 a4 96 a4 ec 71 b2 0b 04 bd e8 13 f4 05 7a 59 f4 26 17 0d d0 a2 c8 4d 9e 60 f2 0a 7d 92 82 94 64 cb 1e db 3b d9 26 28 aa 0b 8b 3a fa ce e1 39 87 e7 87 94 47 0f 3e f8 ec fc e2 ab cf 9f 42 ee 0a 39 3e 18 f9 1b 48 aa a6 29 31 d5 e5 6f bf 20 9e 86 94 8f 0f 00 00 46 Data Ascii: 913Y8-`Idv33k9H& @N&,PqzY&M`}d;&(:9G>B9>H)1o F
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:10:24 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=u3u4hq0g83ealisenjeu2kvojg4sae2d; expires=Thu, 13-Feb-2025 08:10:24 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z6j3oQogy0Gm2qAzreBS1%2B%2FpkEckhjs3OWxAWVex92E7Gq9VWBLn7Eq7AJHYxbe%2FRwQYM3m%2Ffxo1EUGXu64NheLjo6mbOpklogupT%2FPiHOS22ryZfG39u7yhcfS6jmN2xY8L2SpG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9a9dfaa0441cf-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1744&rtt_var=872&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1781&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 59 dd 8e e3 b6 15 be 9f a7 38 cb 2d 10 0f 60 49 f6 64 76 33 33 6b 39 48 26 1b 20 40 fe d0 4e 90 06 db c5 80 26 8f 2c ce 50 a4 96 a4 ec 71 b2 0b 04 bd e8 13 f4 05 7a 59 f4 26 17 0d d0 a2 c8 4d 9e 60 f2 0a 7d 92 82 94 64 cb 1e db 3b d9 26 28 aa 0b 8b 3a fa ce e1 39 87 e7 87 94 47 0f 3e f8 ec fc e2 ab cf 9f 42 ee 0a 39 3e 18 f9 1b 48 aa a6 29 31 d5 e5 6f bf 20 9e 86 94 Data Ascii: 913Y8-`Idv33k9H& @N&,PqzY&M`}d;&(:9G>B9>H)1o
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 08:10:27 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=emhu1lfq12bosm01ctu5grs3dv5i3sst; expires=Thu, 13-Feb-2025 08:10:27 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AX7v2FP%2Bpw%2Bv5jpQjm4WkvlnVjP5ZMt9E1J1GYxukUQi5gKIah6PdlckeGVk3Cod6rsksO4NJdOXWeT%2F3JWzt4BWWxDa1CwJWafFJpLPuYI%2Faev0BAKeMcvl4oTxkyzRP%2FNtmP3m"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9a9efa94ec46d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1463&min_rtt=1463&rtt_var=731&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=479&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 38 34 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 5f 52 55 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 20 20 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 20 69 6e 69 74 69 61 Data Ascii: 84b<!DOCTYPE html><html lang="ru_RU"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, user-scalable=no, initia
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 06 Feb 2025 08:10:34 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 06 Feb 2025 08:10:36 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 06 Feb 2025 08:10:39 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, dWLOfOG.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, dWLOfOG.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: MuiUnattend.exe, 00000014.00000002.3773883190.0000000004C88000.00000004.10000000.00040000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3775575252.0000000006030000.00000004.00000800.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.0000000003DA8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/px.js?ch=1
                Source: MuiUnattend.exe, 00000014.00000002.3773883190.0000000004C88000.00000004.10000000.00040000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3775575252.0000000006030000.00000004.00000800.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.0000000003DA8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/px.js?ch=2
                Source: MuiUnattend.exe, 00000014.00000002.3773883190.0000000004C88000.00000004.10000000.00040000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3775575252.0000000006030000.00000004.00000800.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.0000000003DA8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://digi-searches.com/sk-logabpstatus.php?a=eEhGRjNkOFVVYUhtbk5GeGxhbHN1VmdRTEdTOU5teW9ENERRMjc1V
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, dWLOfOG.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, 00000000.00000002.1386554141.000000000298D000.00000004.00000800.00020000.00000000.sdmp, RFQ RFQ-BA-00090303885-xlsx.exe, 00000000.00000002.1386554141.0000000002711000.00000004.00000800.00020000.00000000.sdmp, dWLOfOG.exe, 0000000B.00000002.1570152241.0000000003195000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: MuiUnattend.exe, 00000014.00000002.3773883190.00000000044AE000.00000004.10000000.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.00000000035CE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jyshe18.buzz/
                Source: mCMv4ksWR9vP9.exe, 00000015.00000002.3774270647.0000000004ECB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyyv4tq.top
                Source: mCMv4ksWR9vP9.exe, 00000015.00000002.3774270647.0000000004ECB000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyyv4tq.top/3rpf/
                Source: MuiUnattend.exe, 00000014.00000002.3775707735.0000000007AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: MuiUnattend.exe, 00000014.00000002.3775707735.0000000007AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: MuiUnattend.exe, 00000014.00000002.3773883190.0000000004FAC000.00000004.10000000.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.00000000040CC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/yandex-metrica-watch/tag.js
                Source: MuiUnattend.exe, 00000014.00000002.3775707735.0000000007AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: MuiUnattend.exe, 00000014.00000002.3775707735.0000000007AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.0000000003DA8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: MuiUnattend.exe, 00000014.00000002.3775707735.0000000007AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: MuiUnattend.exe, 00000014.00000002.3775707735.0000000007AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: MuiUnattend.exe, 00000014.00000002.3775707735.0000000007AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: MuiUnattend.exe, 00000014.00000002.3773883190.0000000004964000.00000004.10000000.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.0000000003A84000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://error.skycloud.tw/system/error?code=400
                Source: MuiUnattend.exe, 00000014.00000002.3773883190.000000000418A000.00000004.10000000.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.00000000032AA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033$
                Source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: MuiUnattend.exe, 00000014.00000003.1814811975.0000000007ACA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, dWLOfOG.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: MuiUnattend.exe, 00000014.00000002.3775707735.0000000007AEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: MuiUnattend.exe, 00000014.00000002.3773883190.0000000003FF8000.00000004.10000000.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.0000000003118000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: mCMv4ksWR9vP9.exe, 00000015.00000002.3771953349.000000000343C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.strato.de

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1631596445.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3771626831.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3759244019.0000000002940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3774270647.0000000004E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3771561486.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1630090977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.3771790216.0000000002380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1633416834.0000000001CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: RFQ RFQ-BA-00090303885-xlsx.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042CB93 NtClose,10_2_0042CB93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040AD14 NtDelayExecution,10_2_0040AD14
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2B60 NtClose,LdrInitializeThunk,10_2_018E2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_018E2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_018E2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E35C0 NtCreateMutant,LdrInitializeThunk,10_2_018E35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E4340 NtSetContextThread,10_2_018E4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E4650 NtSuspendThread,10_2_018E4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2B80 NtQueryInformationFile,10_2_018E2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2BA0 NtEnumerateValueKey,10_2_018E2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2BE0 NtQueryValueKey,10_2_018E2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2BF0 NtAllocateVirtualMemory,10_2_018E2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2AB0 NtWaitForSingleObject,10_2_018E2AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2AD0 NtReadFile,10_2_018E2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2AF0 NtWriteFile,10_2_018E2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2DB0 NtEnumerateKey,10_2_018E2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2DD0 NtDelayExecution,10_2_018E2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2D00 NtSetInformationFile,10_2_018E2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2D10 NtMapViewOfSection,10_2_018E2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2D30 NtUnmapViewOfSection,10_2_018E2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2CA0 NtQueryInformationToken,10_2_018E2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2CC0 NtQueryVirtualMemory,10_2_018E2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2CF0 NtOpenProcess,10_2_018E2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2C00 NtQueryInformationProcess,10_2_018E2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2C60 NtCreateKey,10_2_018E2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2F90 NtProtectVirtualMemory,10_2_018E2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2FA0 NtQuerySection,10_2_018E2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2FB0 NtResumeThread,10_2_018E2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2FE0 NtCreateFile,10_2_018E2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2F30 NtCreateSection,10_2_018E2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2F60 NtCreateProcessEx,10_2_018E2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2E80 NtReadVirtualMemory,10_2_018E2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2EA0 NtAdjustPrivilegesToken,10_2_018E2EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2EE0 NtQueueApcThread,10_2_018E2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2E30 NtWriteVirtualMemory,10_2_018E2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E3090 NtSetValueKey,10_2_018E3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E3010 NtOpenDirectoryObject,10_2_018E3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E39B0 NtGetContextThread,10_2_018E39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E3D10 NtOpenProcessToken,10_2_018E3D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E3D70 NtOpenThread,10_2_018E3D70
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D531980_2_06D53198
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D54B100_2_06D54B10
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D5C6E00_2_06D5C6E0
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D536800_2_06D53680
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D536700_2_06D53670
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D5E4580_2_06D5E458
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D534300_2_06D53430
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D544300_2_06D54430
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D544200_2_06D54420
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D5342B0_2_06D5342B
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D5C2A80_2_06D5C2A8
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D500400_2_06D50040
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D500060_2_06D50006
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D531180_2_06D53118
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D531380_2_06D53138
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D5BE700_2_06D5BE70
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D54FF00_2_06D54FF0
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D54FE10_2_06D54FE1
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D5BA380_2_06D5BA38
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D54B000_2_06D54B00
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D538D80_2_06D538D8
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D538C80_2_06D538C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00418A3310_2_00418A33
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040289010_2_00402890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004011D010_2_004011D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004031D010_2_004031D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042F1F310_2_0042F1F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0041019A10_2_0041019A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004101A310_2_004101A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004103C310_2_004103C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E3A310_2_0040E3A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040142010_2_00401420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00416C2E10_2_00416C2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00416C3310_2_00416C33
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00402CC010_2_00402CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004024CF10_2_004024CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004024D010_2_004024D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E4E710_2_0040E4E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E4F310_2_0040E4F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E53C10_2_0040E53C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019641A210_2_019641A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019701AA10_2_019701AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019681CC10_2_019681CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A010010_2_018A0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194A11810_2_0194A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0193815810_2_01938158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194200010_2_01942000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019703E610_2_019703E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BE3F010_2_018BE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196A35210_2_0196A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019302C010_2_019302C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195027410_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0197059110_2_01970591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B053510_2_018B0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195E4F610_2_0195E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195442010_2_01954420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196244610_2_01962446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AC7C010_2_018AC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D475010_2_018D4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B077010_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CC6E010_2_018CC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A010_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0197A9A610_2_0197A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C696210_2_018C6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018968B810_2_018968B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE8F010_2_018DE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BA84010_2_018BA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B284010_2_018B2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01966BD710_2_01966BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196AB4010_2_0196AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA8010_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C8DBF10_2_018C8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AADE010_2_018AADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BAD0010_2_018BAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194CD1F10_2_0194CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950CB510_2_01950CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A0CF210_2_018A0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0C0010_2_018B0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192EFA010_2_0192EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A2FC810_2_018A2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BCFE010_2_018BCFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01952F3010_2_01952F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018F2F2810_2_018F2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D0F3010_2_018D0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01924F4010_2_01924F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196CE9310_2_0196CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C2E9010_2_018C2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196EEDB10_2_0196EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196EE2610_2_0196EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0E5910_2_018B0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BB1B010_2_018BB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E516C10_2_018E516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189F17210_2_0189F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0197B16B10_2_0197B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B70C010_2_018B70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195F0CC10_2_0195F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196F0E010_2_0196F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019670E910_2_019670E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018F739A10_2_018F739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196132D10_2_0196132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189D34C10_2_0189D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B52A010_2_018B52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CB2C010_2_018CB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019512ED10_2_019512ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194D5B010_2_0194D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019795C310_2_019795C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196757110_2_01967571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196F43F10_2_0196F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A146010_2_018A1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196F7B010_2_0196F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019616CC10_2_019616CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018F563010_2_018F5630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194591010_2_01945910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B995010_2_018B9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CB95010_2_018CB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B38E010_2_018B38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191D80010_2_0191D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CFB8010_2_018CFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01925BF010_2_01925BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018EDBF910_2_018EDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196FB7610_2_0196FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018F5AA010_2_018F5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01951AA310_2_01951AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194DAAC10_2_0194DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195DAC610_2_0195DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01967A4610_2_01967A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196FA4910_2_0196FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01923A6C10_2_01923A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CFDC010_2_018CFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B3D4010_2_018B3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01961D5A10_2_01961D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01967D7310_2_01967D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196FCF210_2_0196FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01929C3210_2_01929C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B1F9210_2_018B1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196FFB110_2_0196FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01873FD510_2_01873FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01873FD210_2_01873FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196FF0910_2_0196FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B9EB010_2_018B9EB0
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_018F4B0111_2_018F4B01
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_057B1F0411_2_057B1F04
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_057B7BC811_2_057B7BC8
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_057B03D811_2_057B03D8
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_057B2D5011_2_057B2D50
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_057B0D9811_2_057B0D98
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_057B0D8811_2_057B0D88
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_057B1EF811_2_057B1EF8
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_057B7BB811_2_057B7BB8
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7A50811_2_05D7A508
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7AD2811_2_05D7AD28
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7B72811_2_05D7B728
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7C63811_2_05D7C638
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7C5D211_2_05D7C5D2
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7EDD011_2_05D7EDD0
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7E5C011_2_05D7E5C0
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7EDE011_2_05D7EDE0
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7D59311_2_05D7D593
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7E5B011_2_05D7E5B0
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7E5B811_2_05D7E5B8
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D745A111_2_05D745A1
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7AD1B11_2_05D7AD1B
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7A4F911_2_05D7A4F9
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7D77011_2_05D7D770
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7D76011_2_05D7D760
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7B71811_2_05D7B718
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D72E7811_2_05D72E78
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7961911_2_05D79619
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7962811_2_05D79628
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7E9D011_2_05D7E9D0
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7D9F811_2_05D7D9F8
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7E9E011_2_05D7E9E0
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7EB5011_2_05D7EB50
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7EB4011_2_05D7EB40
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A319811_2_074A3198
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A367011_2_074A3670
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074AC6E011_2_074AC6E0
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A368011_2_074A3680
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074AE45811_2_074AE458
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A342011_2_074A3420
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A442011_2_074A4420
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A343011_2_074A3430
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A443011_2_074A4430
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074AC2A811_2_074AC2A8
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A311811_2_074A3118
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A313A11_2_074A313A
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A004011_2_074A0040
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A000611_2_074A0006
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A4FE111_2_074A4FE1
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A4FF011_2_074A4FF0
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074ABE7011_2_074ABE70
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A4B0011_2_074A4B00
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A4B1011_2_074A4B10
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074ABA3811_2_074ABA38
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A38C811_2_074A38C8
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_074A38D811_2_074A38D8
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_0772271011_2_07722710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0176010018_2_01760100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017B600018_2_017B6000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017F02C018_2_017F02C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177053518_2_01770535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177077018_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0179475018_2_01794750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0176C7C018_2_0176C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0178C6E018_2_0178C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0178696218_2_01786962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017729A018_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177284018_2_01772840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177A84018_2_0177A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0179E8F018_2_0179E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017568B818_2_017568B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017A889018_2_017A8890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0176EA8018_2_0176EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177ED7A18_2_0177ED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177AD0018_2_0177AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0176ADE018_2_0176ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01778DC018_2_01778DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01788DBF18_2_01788DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01770C0018_2_01770C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01760CF218_2_01760CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017E4F4018_2_017E4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01790F3018_2_01790F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017B2F2818_2_017B2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01762FC818_2_01762FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017EEFA018_2_017EEFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01770E5918_2_01770E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01782E9018_2_01782E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0175F17218_2_0175F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017A516C18_2_017A516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177B1B018_2_0177B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0175D34C18_2_0175D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017733F318_2_017733F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0178D2F018_2_0178D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0178B2C018_2_0178B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017752A018_2_017752A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0176146018_2_01761460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017B74E018_2_017B74E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177349718_2_01773497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177B73018_2_0177B730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177995018_2_01779950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0178B95018_2_0178B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0177599018_2_01775990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017DD80018_2_017DD800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017738E018_2_017738E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017ADBF918_2_017ADBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017E5BF018_2_017E5BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0178FB8018_2_0178FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017E3A6C18_2_017E3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01773D4018_2_01773D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_0178FDC018_2_0178FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017E9C3218_2_017E9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01789C2018_2_01789C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01771F9218_2_01771F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01779EB018_2_01779EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0189B970 appears 277 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 017B7E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 017DEA12 appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0191EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 018E5130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 018F7E54 appears 111 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0192F290 appears 105 times
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic PE information: invalid certificate
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, 00000000.00000000.1285869312.00000000002F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLAdH.exe: vs RFQ RFQ-BA-00090303885-xlsx.exe
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, 00000000.00000002.1389296441.0000000003F71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ RFQ-BA-00090303885-xlsx.exe
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, 00000000.00000002.1394074597.0000000006B44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePo vs RFQ RFQ-BA-00090303885-xlsx.exe
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, 00000000.00000002.1394074597.0000000006B44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs RFQ RFQ-BA-00090303885-xlsx.exe
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, 00000000.00000002.1394074597.0000000006B44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs RFQ RFQ-BA-00090303885-xlsx.exe
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, 00000000.00000002.1378935959.00000000008BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ RFQ-BA-00090303885-xlsx.exe
                Source: RFQ RFQ-BA-00090303885-xlsx.exe, 00000000.00000002.1395473737.0000000009920000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs RFQ RFQ-BA-00090303885-xlsx.exe
                Source: RFQ RFQ-BA-00090303885-xlsx.exeBinary or memory string: OriginalFilenameLAdH.exe: vs RFQ RFQ-BA-00090303885-xlsx.exe
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: dWLOfOG.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, gVsjeKJQpDUbRBR3M5.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, gVsjeKJQpDUbRBR3M5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, gVsjeKJQpDUbRBR3M5.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, QtQD7vf6uqu57soP7n.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, QtQD7vf6uqu57soP7n.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, QtQD7vf6uqu57soP7n.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, QtQD7vf6uqu57soP7n.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, QtQD7vf6uqu57soP7n.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, QtQD7vf6uqu57soP7n.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, gVsjeKJQpDUbRBR3M5.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, gVsjeKJQpDUbRBR3M5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, gVsjeKJQpDUbRBR3M5.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, gVsjeKJQpDUbRBR3M5.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, gVsjeKJQpDUbRBR3M5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, gVsjeKJQpDUbRBR3M5.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/16@16/10
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeFile created: C:\Users\user\AppData\Roaming\dWLOfOG.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8112:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMutant created: \Sessions\1\BaseNamedObjects\BosTxZbdVTgdjuqSpN
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC38C.tmpJump to behavior
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: MuiUnattend.exe, 00000014.00000003.1817024712.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3761306354.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3761306354.0000000002F20000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000003.1816205382.0000000002ED2000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3761306354.0000000002EFD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: RFQ RFQ-BA-00090303885-xlsx.exeVirustotal: Detection: 50%
                Source: RFQ RFQ-BA-00090303885-xlsx.exeReversingLabs: Detection: 36%
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeFile read: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe"
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWLOfOG.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\dWLOfOG.exe C:\Users\user\AppData\Roaming\dWLOfOG.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF1.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeProcess created: C:\Windows\SysWOW64\MuiUnattend.exe "C:\Windows\SysWOW64\MuiUnattend.exe"
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWLOfOG.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF1.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeProcess created: C:\Windows\SysWOW64\MuiUnattend.exe "C:\Windows\SysWOW64\MuiUnattend.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RegSvcs.pdb, source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E6E000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3773883190.00000000038EC000.00000004.10000000.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000000.1697991244.0000000002A0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.1932683390.000000001B19C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.1631935110.0000000001870000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3771957310.000000000345E000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3771957310.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000003.1632504765.0000000003110000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000003.1630324082.0000000002F62000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.1631935110.0000000001870000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3771957310.000000000345E000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3771957310.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000003.1632504765.0000000003110000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000003.1630324082.0000000002F62000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: MUIUnattend.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.1630441987.0000000001318000.00000004.00000020.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000003.1569495632.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000002.3765420812.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: MUIUnattend.pdb source: RegSvcs.exe, 0000000A.00000002.1630441987.0000000001318000.00000004.00000020.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000003.1569495632.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000002.3765420812.0000000000808000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E6E000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000014.00000002.3773883190.00000000038EC000.00000004.10000000.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000000.1697991244.0000000002A0C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.1932683390.000000001B19C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mCMv4ksWR9vP9.exe, 00000013.00000000.1557225315.000000000063F000.00000002.00000001.01000000.0000000E.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3761312801.000000000063F000.00000002.00000001.01000000.0000000E.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, gVsjeKJQpDUbRBR3M5.cs.Net Code: GriAZFAoK8 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, gVsjeKJQpDUbRBR3M5.cs.Net Code: GriAZFAoK8 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, gVsjeKJQpDUbRBR3M5.cs.Net Code: GriAZFAoK8 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.3759f78.0.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D526D1 push es; iretd 0_2_06D526EC
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D524D1 push es; ret 0_2_06D524EC
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D524ED push es; retf 0_2_06D52510
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeCode function: 0_2_06D52556 push es; ret 0_2_06D52634
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00418860 push ss; iretd 10_2_0041885F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040D8BC push ebx; ret 10_2_0040D8BD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00418265 pushad ; retf 10_2_0041826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00403470 push eax; ret 10_2_00403472
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040CCC7 push es; iretd 10_2_0040CCC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040D496 push ecx; ret 10_2_0040D4A1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0041F503 push ds; retf 10_2_0041F518
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00411E5B push esi; retf 10_2_00411E6E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00411E63 push esi; retf 10_2_00411E6E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00401E68 push ebx; ret 10_2_00401E73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00401E34 push ebx; ret 10_2_00401E73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0187225F pushad ; ret 10_2_018727F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018727FA pushad ; ret 10_2_018727F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A09AD push ecx; mov dword ptr [esp], ecx10_2_018A09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0187283D push eax; iretd 10_2_01872858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01871368 push eax; iretd 10_2_01871369
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7AC98 push eax; iretd 11_2_05D7AC99
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_05D7C0D0 push cs; ret 11_2_05D7C0D1
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_07721788 pushfd ; iretd 11_2_07721789
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeCode function: 11_2_07720564 pushfd ; ret 11_2_07720565
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017AC54D pushfd ; ret 18_2_017AC54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017AC9D7 push edi; ret 18_2_017AC9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017609AD push ecx; mov dword ptr [esp], ecx18_2_017609B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_01731FEC push eax; iretd 18_2_01731FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_017B7E99 push ecx; ret 18_2_017B7EAC
                Source: RFQ RFQ-BA-00090303885-xlsx.exeStatic PE information: section name: .text entropy: 7.720452028584574
                Source: dWLOfOG.exe.0.drStatic PE information: section name: .text entropy: 7.720452028584574
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, USF0E1lkyOmJtNgOwU.csHigh entropy of concatenated method names: 'ztw4XRol7F', 'SKl4jLyb1g', 'qpPFw9Lf8k', 'u7aFsUPZ78', 'bwY4mKm7EH', 'HF34o0rk9E', 'nDl400mRS1', 'eeS4dAx9MC', 'a494tXbInn', 'PNu4WSSfKr'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, QtQD7vf6uqu57soP7n.csHigh entropy of concatenated method names: 'BJTudrfL48', 'Ex3utWiZYc', 'UH5uW61t25', 'rs1uaqgfci', 'Umtu6pbS5q', 'xOVul3PePn', 'N3NunROEMi', 'wiHuXVubFy', 'YP7u3TVJ5V', 'WAjujAaOXB'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, qpZi8NswqDitIFFCPKF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xHTPmPFiZk', 'PnsPoyVtDa', 'TnZP0yQD0v', 'LlXPdpZGUQ', 'M4ePtXubeZ', 'Sf9PWtp0Sl', 'vPpPaK8tGT'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, wIuOPWjfPCAmBkTRpI.csHigh entropy of concatenated method names: 'oy3Pe1xE3N', 'u6iPQMgsCU', 'p4hP9TNdlh', 'mmmPDJgRZL', 'GPJPCca34j', 'tmePJOJSxY', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, aToKUIddgDWV59fcKE.csHigh entropy of concatenated method names: 'VjBI1FZodJ', 'SprIoHOOpa', 'QaDIdASlJG', 'Ty4ItA6JnV', 'V0iIyMRei3', 'lipIGnHTNp', 'vrpISS7mIn', 'RoGIN5VV74', 'R5dIpAYD2f', 'yv0IkDbwPx'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, mh5YdKg5YAx0O3ro0y.csHigh entropy of concatenated method names: 'r19QVZsmlh', 'XwFQHqUeys', 'bpOeGoBl53', 'IjieSptIgN', 'DLxeNbovUq', 'HsOep2S0QR', 'pwkekwNG8D', 'SiAeKn1xp3', 'OXweOSrKR4', 'YRue1Bk6L0'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, rFn4dSWHabIMBBREC4.csHigh entropy of concatenated method names: 'ToString', 'wUXxmHnrve', 'wxcxyfYaa5', 'FfSxGEDxe1', 'HIhxS2ftRe', 'EZFxNakvUD', 'EXwxpkGygG', 'aQVxkek4cY', 'WxXxKbjM8G', 'LIrxOFOa75'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, m0t2WhasqAmgchr8ph.csHigh entropy of concatenated method names: 'hgW4vE36r2', 'dXU429I8Vb', 'ToString', 'eEu47V2LG4', 'AVb4uV7PYJ', 'SXM4eZ3cCG', 'PPv4Qjr5lE', 'glj49BQaUo', 'JgC4DQqUPn', 'JbH4JNhfgr'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, rLKROOA0rwU3lgeo6r.csHigh entropy of concatenated method names: 'cg0sDtQD7v', 'UuqsJu57so', 'iClsvYP028', 'tHgs2Ivh5Y', 'XrosI0yid4', 'FSbsxKc58g', 'JJBIUO0gFLU19NAgx3', 'HZeQ77TPCkFmAaTxhb', 'sn8ssQpiMf', 'TwNsLrIMsM'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, I7iHkju2LMZMv7knYd.csHigh entropy of concatenated method names: 'Dispose', 'WqXs3hgRK0', 'tYFhygDp1m', 'zf8kZ1OUyl', 'lxqsjP0kbg', 'qJoszQ0uBT', 'ProcessDialogKey', 'WTYhw52iGK', 'hFGhsnmxdT', 'nEvhhiIuOP'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, fLt86BssU5XaJRSHrKC.csHigh entropy of concatenated method names: 'eIvPjqkvhX', 'nr1PzL2bsw', 'SeqMwWkxBK', 'b5RMs8pogE', 'aS1MhpCn8c', 'uyIMLjL0Rj', 'pFnMAdBXeE', 'sIHMUEGkGY', 'KIxM7O5gJc', 'TmpMutcOZQ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, OI3PInsAfCuKgXRWoyL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oEDYC49JWX', 'oESYPuU6DV', 'YO9YMCmMHh', 'farYYFSwn9', 'aX1YThvJTR', 'mvdYipLUyZ', 'l5kYrRSWDQ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, j5DlZIshOvTjF9R5EU3.csHigh entropy of concatenated method names: 'ToString', 'SPbMfRD1rB', 'xvOMcH6bc7', 'FioMgDv9bk', 'zDpMRvW6to', 'p8WMy7g1fx', 'nkoMG5spvV', 'HWTMS6hQjI', 'VowJe5jhwCC95rPi85O', 'hapyVtj004FdvGqhRks'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, BKPueRhNAEWLtKZuW0.csHigh entropy of concatenated method names: 'KUtZ6u4yN', 'IClbGgL6s', 'Oq9qNprsI', 'xBdHuhIKt', 'RpYcWY4F8', 'NGhg6LArc', 'IJRjbmtEZTBq5JFUnE', 'evM5vAlTP1GmPssVFG', 'sTlFTiGMy', 'iKVPQKfp0'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, u52iGK3QFGnmxdT5Ev.csHigh entropy of concatenated method names: 'hTfCRHIqyQ', 'aqVCyWKSBp', 'MNoCGHYXXv', 'fu8CSQTe4j', 'fS0CNiy6DW', 'HEGCp2KdK4', 'QEBCkvH4gY', 'v5dCKjNHm5', 'QAPCOZDral', 'HlNC1XdoZA'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, A5BcrpnUPXqXhgRK08.csHigh entropy of concatenated method names: 'AX9CI4Hnd8', 'KeCC4ihpq3', 'n7LCC870B4', 'UP5CMMiHEI', 'JSeCTweRTq', 'EUYCrcvkKW', 'Dispose', 'SXUF7wDKxF', 'cJyFudk2s4', 'D84FeiG0Gf'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, WFxPoO0gaMug4rce0w.csHigh entropy of concatenated method names: 'rhU5fu25Aw', 'tSB5cGJa2F', 'Xt65RC5ds2', 'zwh5yQtFdd', 'Ysn5SuoqDW', 'PoM5NxjBfy', 'Bbw5kRSNUC', 'VeD5KBKBLq', 'fMm51sOhw8', 'M9o5meUQ1f'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, NU9187zXgHJIFQ1KZC.csHigh entropy of concatenated method names: 'lTmPqdispH', 'pwmPfj7sBC', 'p3PPc356CF', 'eaNPRDkmcg', 'dBpPyvb8hT', 'OgCPSnvsLb', 'k2XPNbZxjr', 'Y1uPrIAOGI', 'j4hPBvlFK6', 'AbbPEBmcgJ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, bA5XJ3kIIYWKYWRVaO.csHigh entropy of concatenated method names: 'OkQD7KxheM', 'v7HDe7nSiW', 'YAtD9CJRy2', 'q549jg2vdJ', 'FZg9zUbQdx', 'SPnDwZhpvj', 'TVyDsmvtMV', 'VFcDhqOpK4', 'ONnDLqKwac', 'eMfDAkDnQa'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, wd4gSbRKc58gcQ2JJu.csHigh entropy of concatenated method names: 'H0t9U6dlEr', 'UGo9uO7EAB', 'Ewx9Q1lxfm', 'KOD9D0KEi4', 'gIe9JpZcRn', 'GxrQ6rFppM', 'rbhQlTRURI', 'AMDQnfEuEk', 'wpMQXR4d9A', 'pphQ3HD1Hi'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, DZw9U7O3bbhkOo7gUy.csHigh entropy of concatenated method names: 'palDBeiQAd', 'XkHDE1IoSG', 'nWCDZSuK5G', 'vpVDbiXivF', 'sStDVaBhuB', 'ehiDqTsUIE', 'srXDHoYpXn', 'g9nDfjWB8O', 'WDfDcpq8FS', 'fBcDgBUGrG'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.9920000.6.raw.unpack, gVsjeKJQpDUbRBR3M5.csHigh entropy of concatenated method names: 'bEDLUgV0SX', 'L8gL7ic0b0', 'nJnLuBTIB0', 'SWoLeB0vFh', 'EPDLQ3QZc6', 'Ig0L9sxS4p', 'vNrLDRMjB7', 'xeeLJOoiJb', 'albL8VwyWi', 'hwCLvRRFtQ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, USF0E1lkyOmJtNgOwU.csHigh entropy of concatenated method names: 'ztw4XRol7F', 'SKl4jLyb1g', 'qpPFw9Lf8k', 'u7aFsUPZ78', 'bwY4mKm7EH', 'HF34o0rk9E', 'nDl400mRS1', 'eeS4dAx9MC', 'a494tXbInn', 'PNu4WSSfKr'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, QtQD7vf6uqu57soP7n.csHigh entropy of concatenated method names: 'BJTudrfL48', 'Ex3utWiZYc', 'UH5uW61t25', 'rs1uaqgfci', 'Umtu6pbS5q', 'xOVul3PePn', 'N3NunROEMi', 'wiHuXVubFy', 'YP7u3TVJ5V', 'WAjujAaOXB'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, qpZi8NswqDitIFFCPKF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xHTPmPFiZk', 'PnsPoyVtDa', 'TnZP0yQD0v', 'LlXPdpZGUQ', 'M4ePtXubeZ', 'Sf9PWtp0Sl', 'vPpPaK8tGT'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, wIuOPWjfPCAmBkTRpI.csHigh entropy of concatenated method names: 'oy3Pe1xE3N', 'u6iPQMgsCU', 'p4hP9TNdlh', 'mmmPDJgRZL', 'GPJPCca34j', 'tmePJOJSxY', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, aToKUIddgDWV59fcKE.csHigh entropy of concatenated method names: 'VjBI1FZodJ', 'SprIoHOOpa', 'QaDIdASlJG', 'Ty4ItA6JnV', 'V0iIyMRei3', 'lipIGnHTNp', 'vrpISS7mIn', 'RoGIN5VV74', 'R5dIpAYD2f', 'yv0IkDbwPx'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, mh5YdKg5YAx0O3ro0y.csHigh entropy of concatenated method names: 'r19QVZsmlh', 'XwFQHqUeys', 'bpOeGoBl53', 'IjieSptIgN', 'DLxeNbovUq', 'HsOep2S0QR', 'pwkekwNG8D', 'SiAeKn1xp3', 'OXweOSrKR4', 'YRue1Bk6L0'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, rFn4dSWHabIMBBREC4.csHigh entropy of concatenated method names: 'ToString', 'wUXxmHnrve', 'wxcxyfYaa5', 'FfSxGEDxe1', 'HIhxS2ftRe', 'EZFxNakvUD', 'EXwxpkGygG', 'aQVxkek4cY', 'WxXxKbjM8G', 'LIrxOFOa75'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, m0t2WhasqAmgchr8ph.csHigh entropy of concatenated method names: 'hgW4vE36r2', 'dXU429I8Vb', 'ToString', 'eEu47V2LG4', 'AVb4uV7PYJ', 'SXM4eZ3cCG', 'PPv4Qjr5lE', 'glj49BQaUo', 'JgC4DQqUPn', 'JbH4JNhfgr'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, rLKROOA0rwU3lgeo6r.csHigh entropy of concatenated method names: 'cg0sDtQD7v', 'UuqsJu57so', 'iClsvYP028', 'tHgs2Ivh5Y', 'XrosI0yid4', 'FSbsxKc58g', 'JJBIUO0gFLU19NAgx3', 'HZeQ77TPCkFmAaTxhb', 'sn8ssQpiMf', 'TwNsLrIMsM'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, I7iHkju2LMZMv7knYd.csHigh entropy of concatenated method names: 'Dispose', 'WqXs3hgRK0', 'tYFhygDp1m', 'zf8kZ1OUyl', 'lxqsjP0kbg', 'qJoszQ0uBT', 'ProcessDialogKey', 'WTYhw52iGK', 'hFGhsnmxdT', 'nEvhhiIuOP'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, fLt86BssU5XaJRSHrKC.csHigh entropy of concatenated method names: 'eIvPjqkvhX', 'nr1PzL2bsw', 'SeqMwWkxBK', 'b5RMs8pogE', 'aS1MhpCn8c', 'uyIMLjL0Rj', 'pFnMAdBXeE', 'sIHMUEGkGY', 'KIxM7O5gJc', 'TmpMutcOZQ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, OI3PInsAfCuKgXRWoyL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oEDYC49JWX', 'oESYPuU6DV', 'YO9YMCmMHh', 'farYYFSwn9', 'aX1YThvJTR', 'mvdYipLUyZ', 'l5kYrRSWDQ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, j5DlZIshOvTjF9R5EU3.csHigh entropy of concatenated method names: 'ToString', 'SPbMfRD1rB', 'xvOMcH6bc7', 'FioMgDv9bk', 'zDpMRvW6to', 'p8WMy7g1fx', 'nkoMG5spvV', 'HWTMS6hQjI', 'VowJe5jhwCC95rPi85O', 'hapyVtj004FdvGqhRks'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, BKPueRhNAEWLtKZuW0.csHigh entropy of concatenated method names: 'KUtZ6u4yN', 'IClbGgL6s', 'Oq9qNprsI', 'xBdHuhIKt', 'RpYcWY4F8', 'NGhg6LArc', 'IJRjbmtEZTBq5JFUnE', 'evM5vAlTP1GmPssVFG', 'sTlFTiGMy', 'iKVPQKfp0'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, u52iGK3QFGnmxdT5Ev.csHigh entropy of concatenated method names: 'hTfCRHIqyQ', 'aqVCyWKSBp', 'MNoCGHYXXv', 'fu8CSQTe4j', 'fS0CNiy6DW', 'HEGCp2KdK4', 'QEBCkvH4gY', 'v5dCKjNHm5', 'QAPCOZDral', 'HlNC1XdoZA'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, A5BcrpnUPXqXhgRK08.csHigh entropy of concatenated method names: 'AX9CI4Hnd8', 'KeCC4ihpq3', 'n7LCC870B4', 'UP5CMMiHEI', 'JSeCTweRTq', 'EUYCrcvkKW', 'Dispose', 'SXUF7wDKxF', 'cJyFudk2s4', 'D84FeiG0Gf'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, WFxPoO0gaMug4rce0w.csHigh entropy of concatenated method names: 'rhU5fu25Aw', 'tSB5cGJa2F', 'Xt65RC5ds2', 'zwh5yQtFdd', 'Ysn5SuoqDW', 'PoM5NxjBfy', 'Bbw5kRSNUC', 'VeD5KBKBLq', 'fMm51sOhw8', 'M9o5meUQ1f'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, NU9187zXgHJIFQ1KZC.csHigh entropy of concatenated method names: 'lTmPqdispH', 'pwmPfj7sBC', 'p3PPc356CF', 'eaNPRDkmcg', 'dBpPyvb8hT', 'OgCPSnvsLb', 'k2XPNbZxjr', 'Y1uPrIAOGI', 'j4hPBvlFK6', 'AbbPEBmcgJ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, bA5XJ3kIIYWKYWRVaO.csHigh entropy of concatenated method names: 'OkQD7KxheM', 'v7HDe7nSiW', 'YAtD9CJRy2', 'q549jg2vdJ', 'FZg9zUbQdx', 'SPnDwZhpvj', 'TVyDsmvtMV', 'VFcDhqOpK4', 'ONnDLqKwac', 'eMfDAkDnQa'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, wd4gSbRKc58gcQ2JJu.csHigh entropy of concatenated method names: 'H0t9U6dlEr', 'UGo9uO7EAB', 'Ewx9Q1lxfm', 'KOD9D0KEi4', 'gIe9JpZcRn', 'GxrQ6rFppM', 'rbhQlTRURI', 'AMDQnfEuEk', 'wpMQXR4d9A', 'pphQ3HD1Hi'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, DZw9U7O3bbhkOo7gUy.csHigh entropy of concatenated method names: 'palDBeiQAd', 'XkHDE1IoSG', 'nWCDZSuK5G', 'vpVDbiXivF', 'sStDVaBhuB', 'ehiDqTsUIE', 'srXDHoYpXn', 'g9nDfjWB8O', 'WDfDcpq8FS', 'fBcDgBUGrG'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.41b1b88.3.raw.unpack, gVsjeKJQpDUbRBR3M5.csHigh entropy of concatenated method names: 'bEDLUgV0SX', 'L8gL7ic0b0', 'nJnLuBTIB0', 'SWoLeB0vFh', 'EPDLQ3QZc6', 'Ig0L9sxS4p', 'vNrLDRMjB7', 'xeeLJOoiJb', 'albL8VwyWi', 'hwCLvRRFtQ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, USF0E1lkyOmJtNgOwU.csHigh entropy of concatenated method names: 'ztw4XRol7F', 'SKl4jLyb1g', 'qpPFw9Lf8k', 'u7aFsUPZ78', 'bwY4mKm7EH', 'HF34o0rk9E', 'nDl400mRS1', 'eeS4dAx9MC', 'a494tXbInn', 'PNu4WSSfKr'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, QtQD7vf6uqu57soP7n.csHigh entropy of concatenated method names: 'BJTudrfL48', 'Ex3utWiZYc', 'UH5uW61t25', 'rs1uaqgfci', 'Umtu6pbS5q', 'xOVul3PePn', 'N3NunROEMi', 'wiHuXVubFy', 'YP7u3TVJ5V', 'WAjujAaOXB'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, qpZi8NswqDitIFFCPKF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xHTPmPFiZk', 'PnsPoyVtDa', 'TnZP0yQD0v', 'LlXPdpZGUQ', 'M4ePtXubeZ', 'Sf9PWtp0Sl', 'vPpPaK8tGT'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, wIuOPWjfPCAmBkTRpI.csHigh entropy of concatenated method names: 'oy3Pe1xE3N', 'u6iPQMgsCU', 'p4hP9TNdlh', 'mmmPDJgRZL', 'GPJPCca34j', 'tmePJOJSxY', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, aToKUIddgDWV59fcKE.csHigh entropy of concatenated method names: 'VjBI1FZodJ', 'SprIoHOOpa', 'QaDIdASlJG', 'Ty4ItA6JnV', 'V0iIyMRei3', 'lipIGnHTNp', 'vrpISS7mIn', 'RoGIN5VV74', 'R5dIpAYD2f', 'yv0IkDbwPx'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, mh5YdKg5YAx0O3ro0y.csHigh entropy of concatenated method names: 'r19QVZsmlh', 'XwFQHqUeys', 'bpOeGoBl53', 'IjieSptIgN', 'DLxeNbovUq', 'HsOep2S0QR', 'pwkekwNG8D', 'SiAeKn1xp3', 'OXweOSrKR4', 'YRue1Bk6L0'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, rFn4dSWHabIMBBREC4.csHigh entropy of concatenated method names: 'ToString', 'wUXxmHnrve', 'wxcxyfYaa5', 'FfSxGEDxe1', 'HIhxS2ftRe', 'EZFxNakvUD', 'EXwxpkGygG', 'aQVxkek4cY', 'WxXxKbjM8G', 'LIrxOFOa75'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, m0t2WhasqAmgchr8ph.csHigh entropy of concatenated method names: 'hgW4vE36r2', 'dXU429I8Vb', 'ToString', 'eEu47V2LG4', 'AVb4uV7PYJ', 'SXM4eZ3cCG', 'PPv4Qjr5lE', 'glj49BQaUo', 'JgC4DQqUPn', 'JbH4JNhfgr'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, rLKROOA0rwU3lgeo6r.csHigh entropy of concatenated method names: 'cg0sDtQD7v', 'UuqsJu57so', 'iClsvYP028', 'tHgs2Ivh5Y', 'XrosI0yid4', 'FSbsxKc58g', 'JJBIUO0gFLU19NAgx3', 'HZeQ77TPCkFmAaTxhb', 'sn8ssQpiMf', 'TwNsLrIMsM'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, I7iHkju2LMZMv7knYd.csHigh entropy of concatenated method names: 'Dispose', 'WqXs3hgRK0', 'tYFhygDp1m', 'zf8kZ1OUyl', 'lxqsjP0kbg', 'qJoszQ0uBT', 'ProcessDialogKey', 'WTYhw52iGK', 'hFGhsnmxdT', 'nEvhhiIuOP'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, fLt86BssU5XaJRSHrKC.csHigh entropy of concatenated method names: 'eIvPjqkvhX', 'nr1PzL2bsw', 'SeqMwWkxBK', 'b5RMs8pogE', 'aS1MhpCn8c', 'uyIMLjL0Rj', 'pFnMAdBXeE', 'sIHMUEGkGY', 'KIxM7O5gJc', 'TmpMutcOZQ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, OI3PInsAfCuKgXRWoyL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oEDYC49JWX', 'oESYPuU6DV', 'YO9YMCmMHh', 'farYYFSwn9', 'aX1YThvJTR', 'mvdYipLUyZ', 'l5kYrRSWDQ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, j5DlZIshOvTjF9R5EU3.csHigh entropy of concatenated method names: 'ToString', 'SPbMfRD1rB', 'xvOMcH6bc7', 'FioMgDv9bk', 'zDpMRvW6to', 'p8WMy7g1fx', 'nkoMG5spvV', 'HWTMS6hQjI', 'VowJe5jhwCC95rPi85O', 'hapyVtj004FdvGqhRks'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, BKPueRhNAEWLtKZuW0.csHigh entropy of concatenated method names: 'KUtZ6u4yN', 'IClbGgL6s', 'Oq9qNprsI', 'xBdHuhIKt', 'RpYcWY4F8', 'NGhg6LArc', 'IJRjbmtEZTBq5JFUnE', 'evM5vAlTP1GmPssVFG', 'sTlFTiGMy', 'iKVPQKfp0'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, u52iGK3QFGnmxdT5Ev.csHigh entropy of concatenated method names: 'hTfCRHIqyQ', 'aqVCyWKSBp', 'MNoCGHYXXv', 'fu8CSQTe4j', 'fS0CNiy6DW', 'HEGCp2KdK4', 'QEBCkvH4gY', 'v5dCKjNHm5', 'QAPCOZDral', 'HlNC1XdoZA'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, A5BcrpnUPXqXhgRK08.csHigh entropy of concatenated method names: 'AX9CI4Hnd8', 'KeCC4ihpq3', 'n7LCC870B4', 'UP5CMMiHEI', 'JSeCTweRTq', 'EUYCrcvkKW', 'Dispose', 'SXUF7wDKxF', 'cJyFudk2s4', 'D84FeiG0Gf'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, WFxPoO0gaMug4rce0w.csHigh entropy of concatenated method names: 'rhU5fu25Aw', 'tSB5cGJa2F', 'Xt65RC5ds2', 'zwh5yQtFdd', 'Ysn5SuoqDW', 'PoM5NxjBfy', 'Bbw5kRSNUC', 'VeD5KBKBLq', 'fMm51sOhw8', 'M9o5meUQ1f'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, NU9187zXgHJIFQ1KZC.csHigh entropy of concatenated method names: 'lTmPqdispH', 'pwmPfj7sBC', 'p3PPc356CF', 'eaNPRDkmcg', 'dBpPyvb8hT', 'OgCPSnvsLb', 'k2XPNbZxjr', 'Y1uPrIAOGI', 'j4hPBvlFK6', 'AbbPEBmcgJ'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, bA5XJ3kIIYWKYWRVaO.csHigh entropy of concatenated method names: 'OkQD7KxheM', 'v7HDe7nSiW', 'YAtD9CJRy2', 'q549jg2vdJ', 'FZg9zUbQdx', 'SPnDwZhpvj', 'TVyDsmvtMV', 'VFcDhqOpK4', 'ONnDLqKwac', 'eMfDAkDnQa'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, wd4gSbRKc58gcQ2JJu.csHigh entropy of concatenated method names: 'H0t9U6dlEr', 'UGo9uO7EAB', 'Ewx9Q1lxfm', 'KOD9D0KEi4', 'gIe9JpZcRn', 'GxrQ6rFppM', 'rbhQlTRURI', 'AMDQnfEuEk', 'wpMQXR4d9A', 'pphQ3HD1Hi'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, DZw9U7O3bbhkOo7gUy.csHigh entropy of concatenated method names: 'palDBeiQAd', 'XkHDE1IoSG', 'nWCDZSuK5G', 'vpVDbiXivF', 'sStDVaBhuB', 'ehiDqTsUIE', 'srXDHoYpXn', 'g9nDfjWB8O', 'WDfDcpq8FS', 'fBcDgBUGrG'
                Source: 0.2.RFQ RFQ-BA-00090303885-xlsx.exe.423c9a8.1.raw.unpack, gVsjeKJQpDUbRBR3M5.csHigh entropy of concatenated method names: 'bEDLUgV0SX', 'L8gL7ic0b0', 'nJnLuBTIB0', 'SWoLeB0vFh', 'EPDLQ3QZc6', 'Ig0L9sxS4p', 'vNrLDRMjB7', 'xeeLJOoiJb', 'albL8VwyWi', 'hwCLvRRFtQ'
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeFile created: C:\Users\user\AppData\Roaming\dWLOfOG.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: RFQ RFQ-BA-00090303885-xlsx.exe PID: 7724, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: dWLOfOG.exe PID: 5100, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: 2710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: 6E10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: 7E10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: 7FA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: 8FA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: 99B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: A9B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: B9B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: 18F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: 3160000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: 7A30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: 8A30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: 8BC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: 9BC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: A560000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: B560000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E096E rdtsc 10_2_018E096E
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2699Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4415Jump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeWindow / User API: threadDelayed 3123
                Source: C:\Windows\SysWOW64\MuiUnattend.exeWindow / User API: threadDelayed 6850
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.2 %
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe TID: 7744Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5104Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6412Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4220Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4708Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exe TID: 6676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exe TID: 8100Thread sleep count: 3123 > 30
                Source: C:\Windows\SysWOW64\MuiUnattend.exe TID: 8100Thread sleep time: -6246000s >= -30000s
                Source: C:\Windows\SysWOW64\MuiUnattend.exe TID: 8100Thread sleep count: 6850 > 30
                Source: C:\Windows\SysWOW64\MuiUnattend.exe TID: 8100Thread sleep time: -13700000s >= -30000s
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exe TID: 744Thread sleep time: -65000s >= -30000s
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exe TID: 744Thread sleep count: 36 > 30
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exe TID: 744Thread sleep time: -36000s >= -30000s
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exe TID: 744Thread sleep time: -43500s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\MuiUnattend.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\MuiUnattend.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 3-1tw71.20.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 3-1tw71.20.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 3-1tw71.20.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 3-1tw71.20.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 3-1tw71.20.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 3-1tw71.20.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: MuiUnattend.exe, 00000014.00000002.3761306354.0000000002E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                Source: 3-1tw71.20.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 3-1tw71.20.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 3-1tw71.20.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 3-1tw71.20.drBinary or memory string: discord.comVMware20,11696492231f
                Source: mCMv4ksWR9vP9.exe, 00000015.00000002.3764320566.0000000000709000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.1934600300.000002AFDB11C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 3-1tw71.20.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 3-1tw71.20.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 3-1tw71.20.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 3-1tw71.20.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 3-1tw71.20.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 3-1tw71.20.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 3-1tw71.20.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 3-1tw71.20.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 3-1tw71.20.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 3-1tw71.20.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 3-1tw71.20.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 3-1tw71.20.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E096E rdtsc 10_2_018E096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00417BC3 LdrLoadDll,10_2_00417BC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E0185 mov eax, dword ptr fs:[00000030h]10_2_018E0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192019F mov eax, dword ptr fs:[00000030h]10_2_0192019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192019F mov eax, dword ptr fs:[00000030h]10_2_0192019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192019F mov eax, dword ptr fs:[00000030h]10_2_0192019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192019F mov eax, dword ptr fs:[00000030h]10_2_0192019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01944180 mov eax, dword ptr fs:[00000030h]10_2_01944180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01944180 mov eax, dword ptr fs:[00000030h]10_2_01944180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195C188 mov eax, dword ptr fs:[00000030h]10_2_0195C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195C188 mov eax, dword ptr fs:[00000030h]10_2_0195C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189A197 mov eax, dword ptr fs:[00000030h]10_2_0189A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189A197 mov eax, dword ptr fs:[00000030h]10_2_0189A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189A197 mov eax, dword ptr fs:[00000030h]10_2_0189A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E1D0 mov eax, dword ptr fs:[00000030h]10_2_0191E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E1D0 mov eax, dword ptr fs:[00000030h]10_2_0191E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E1D0 mov ecx, dword ptr fs:[00000030h]10_2_0191E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E1D0 mov eax, dword ptr fs:[00000030h]10_2_0191E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E1D0 mov eax, dword ptr fs:[00000030h]10_2_0191E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019661C3 mov eax, dword ptr fs:[00000030h]10_2_019661C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019661C3 mov eax, dword ptr fs:[00000030h]10_2_019661C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019761E5 mov eax, dword ptr fs:[00000030h]10_2_019761E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D01F8 mov eax, dword ptr fs:[00000030h]10_2_018D01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01960115 mov eax, dword ptr fs:[00000030h]10_2_01960115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194A118 mov ecx, dword ptr fs:[00000030h]10_2_0194A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194A118 mov eax, dword ptr fs:[00000030h]10_2_0194A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194A118 mov eax, dword ptr fs:[00000030h]10_2_0194A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194A118 mov eax, dword ptr fs:[00000030h]10_2_0194A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov eax, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov ecx, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov eax, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov eax, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov ecx, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov eax, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov eax, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov ecx, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov eax, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E10E mov ecx, dword ptr fs:[00000030h]10_2_0194E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D0124 mov eax, dword ptr fs:[00000030h]10_2_018D0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01938158 mov eax, dword ptr fs:[00000030h]10_2_01938158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01934144 mov eax, dword ptr fs:[00000030h]10_2_01934144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01934144 mov eax, dword ptr fs:[00000030h]10_2_01934144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01934144 mov ecx, dword ptr fs:[00000030h]10_2_01934144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01934144 mov eax, dword ptr fs:[00000030h]10_2_01934144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01934144 mov eax, dword ptr fs:[00000030h]10_2_01934144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A6154 mov eax, dword ptr fs:[00000030h]10_2_018A6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A6154 mov eax, dword ptr fs:[00000030h]10_2_018A6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189C156 mov eax, dword ptr fs:[00000030h]10_2_0189C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974164 mov eax, dword ptr fs:[00000030h]10_2_01974164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974164 mov eax, dword ptr fs:[00000030h]10_2_01974164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A208A mov eax, dword ptr fs:[00000030h]10_2_018A208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018980A0 mov eax, dword ptr fs:[00000030h]10_2_018980A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019660B8 mov eax, dword ptr fs:[00000030h]10_2_019660B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019660B8 mov ecx, dword ptr fs:[00000030h]10_2_019660B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019380A8 mov eax, dword ptr fs:[00000030h]10_2_019380A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019220DE mov eax, dword ptr fs:[00000030h]10_2_019220DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A80E9 mov eax, dword ptr fs:[00000030h]10_2_018A80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189A0E3 mov ecx, dword ptr fs:[00000030h]10_2_0189A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019260E0 mov eax, dword ptr fs:[00000030h]10_2_019260E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189C0F0 mov eax, dword ptr fs:[00000030h]10_2_0189C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E20F0 mov ecx, dword ptr fs:[00000030h]10_2_018E20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01924000 mov ecx, dword ptr fs:[00000030h]10_2_01924000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01942000 mov eax, dword ptr fs:[00000030h]10_2_01942000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01942000 mov eax, dword ptr fs:[00000030h]10_2_01942000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01942000 mov eax, dword ptr fs:[00000030h]10_2_01942000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01942000 mov eax, dword ptr fs:[00000030h]10_2_01942000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01942000 mov eax, dword ptr fs:[00000030h]10_2_01942000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01942000 mov eax, dword ptr fs:[00000030h]10_2_01942000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01942000 mov eax, dword ptr fs:[00000030h]10_2_01942000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01942000 mov eax, dword ptr fs:[00000030h]10_2_01942000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BE016 mov eax, dword ptr fs:[00000030h]10_2_018BE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BE016 mov eax, dword ptr fs:[00000030h]10_2_018BE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BE016 mov eax, dword ptr fs:[00000030h]10_2_018BE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BE016 mov eax, dword ptr fs:[00000030h]10_2_018BE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01936030 mov eax, dword ptr fs:[00000030h]10_2_01936030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189A020 mov eax, dword ptr fs:[00000030h]10_2_0189A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189C020 mov eax, dword ptr fs:[00000030h]10_2_0189C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01926050 mov eax, dword ptr fs:[00000030h]10_2_01926050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A2050 mov eax, dword ptr fs:[00000030h]10_2_018A2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CC073 mov eax, dword ptr fs:[00000030h]10_2_018CC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189E388 mov eax, dword ptr fs:[00000030h]10_2_0189E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189E388 mov eax, dword ptr fs:[00000030h]10_2_0189E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189E388 mov eax, dword ptr fs:[00000030h]10_2_0189E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C438F mov eax, dword ptr fs:[00000030h]10_2_018C438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C438F mov eax, dword ptr fs:[00000030h]10_2_018C438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01898397 mov eax, dword ptr fs:[00000030h]10_2_01898397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01898397 mov eax, dword ptr fs:[00000030h]10_2_01898397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01898397 mov eax, dword ptr fs:[00000030h]10_2_01898397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019443D4 mov eax, dword ptr fs:[00000030h]10_2_019443D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019443D4 mov eax, dword ptr fs:[00000030h]10_2_019443D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA3C0 mov eax, dword ptr fs:[00000030h]10_2_018AA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA3C0 mov eax, dword ptr fs:[00000030h]10_2_018AA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA3C0 mov eax, dword ptr fs:[00000030h]10_2_018AA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA3C0 mov eax, dword ptr fs:[00000030h]10_2_018AA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA3C0 mov eax, dword ptr fs:[00000030h]10_2_018AA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA3C0 mov eax, dword ptr fs:[00000030h]10_2_018AA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A83C0 mov eax, dword ptr fs:[00000030h]10_2_018A83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A83C0 mov eax, dword ptr fs:[00000030h]10_2_018A83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A83C0 mov eax, dword ptr fs:[00000030h]10_2_018A83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A83C0 mov eax, dword ptr fs:[00000030h]10_2_018A83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E3DB mov eax, dword ptr fs:[00000030h]10_2_0194E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E3DB mov eax, dword ptr fs:[00000030h]10_2_0194E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E3DB mov ecx, dword ptr fs:[00000030h]10_2_0194E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194E3DB mov eax, dword ptr fs:[00000030h]10_2_0194E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019263C0 mov eax, dword ptr fs:[00000030h]10_2_019263C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195C3CD mov eax, dword ptr fs:[00000030h]10_2_0195C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B03E9 mov eax, dword ptr fs:[00000030h]10_2_018B03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B03E9 mov eax, dword ptr fs:[00000030h]10_2_018B03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B03E9 mov eax, dword ptr fs:[00000030h]10_2_018B03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B03E9 mov eax, dword ptr fs:[00000030h]10_2_018B03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B03E9 mov eax, dword ptr fs:[00000030h]10_2_018B03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B03E9 mov eax, dword ptr fs:[00000030h]10_2_018B03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B03E9 mov eax, dword ptr fs:[00000030h]10_2_018B03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B03E9 mov eax, dword ptr fs:[00000030h]10_2_018B03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D63FF mov eax, dword ptr fs:[00000030h]10_2_018D63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BE3F0 mov eax, dword ptr fs:[00000030h]10_2_018BE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BE3F0 mov eax, dword ptr fs:[00000030h]10_2_018BE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BE3F0 mov eax, dword ptr fs:[00000030h]10_2_018BE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA30B mov eax, dword ptr fs:[00000030h]10_2_018DA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA30B mov eax, dword ptr fs:[00000030h]10_2_018DA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA30B mov eax, dword ptr fs:[00000030h]10_2_018DA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189C310 mov ecx, dword ptr fs:[00000030h]10_2_0189C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C0310 mov ecx, dword ptr fs:[00000030h]10_2_018C0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01978324 mov eax, dword ptr fs:[00000030h]10_2_01978324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01978324 mov ecx, dword ptr fs:[00000030h]10_2_01978324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01978324 mov eax, dword ptr fs:[00000030h]10_2_01978324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01978324 mov eax, dword ptr fs:[00000030h]10_2_01978324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196A352 mov eax, dword ptr fs:[00000030h]10_2_0196A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01948350 mov ecx, dword ptr fs:[00000030h]10_2_01948350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192035C mov eax, dword ptr fs:[00000030h]10_2_0192035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192035C mov eax, dword ptr fs:[00000030h]10_2_0192035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192035C mov eax, dword ptr fs:[00000030h]10_2_0192035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192035C mov ecx, dword ptr fs:[00000030h]10_2_0192035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192035C mov eax, dword ptr fs:[00000030h]10_2_0192035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192035C mov eax, dword ptr fs:[00000030h]10_2_0192035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0197634F mov eax, dword ptr fs:[00000030h]10_2_0197634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01922349 mov eax, dword ptr fs:[00000030h]10_2_01922349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194437C mov eax, dword ptr fs:[00000030h]10_2_0194437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE284 mov eax, dword ptr fs:[00000030h]10_2_018DE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE284 mov eax, dword ptr fs:[00000030h]10_2_018DE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01920283 mov eax, dword ptr fs:[00000030h]10_2_01920283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01920283 mov eax, dword ptr fs:[00000030h]10_2_01920283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01920283 mov eax, dword ptr fs:[00000030h]10_2_01920283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B02A0 mov eax, dword ptr fs:[00000030h]10_2_018B02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B02A0 mov eax, dword ptr fs:[00000030h]10_2_018B02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019362A0 mov eax, dword ptr fs:[00000030h]10_2_019362A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019362A0 mov ecx, dword ptr fs:[00000030h]10_2_019362A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019362A0 mov eax, dword ptr fs:[00000030h]10_2_019362A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019362A0 mov eax, dword ptr fs:[00000030h]10_2_019362A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019362A0 mov eax, dword ptr fs:[00000030h]10_2_019362A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019362A0 mov eax, dword ptr fs:[00000030h]10_2_019362A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019762D6 mov eax, dword ptr fs:[00000030h]10_2_019762D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA2C3 mov eax, dword ptr fs:[00000030h]10_2_018AA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA2C3 mov eax, dword ptr fs:[00000030h]10_2_018AA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA2C3 mov eax, dword ptr fs:[00000030h]10_2_018AA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA2C3 mov eax, dword ptr fs:[00000030h]10_2_018AA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA2C3 mov eax, dword ptr fs:[00000030h]10_2_018AA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B02E1 mov eax, dword ptr fs:[00000030h]10_2_018B02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B02E1 mov eax, dword ptr fs:[00000030h]10_2_018B02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B02E1 mov eax, dword ptr fs:[00000030h]10_2_018B02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189823B mov eax, dword ptr fs:[00000030h]10_2_0189823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195A250 mov eax, dword ptr fs:[00000030h]10_2_0195A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195A250 mov eax, dword ptr fs:[00000030h]10_2_0195A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0197625D mov eax, dword ptr fs:[00000030h]10_2_0197625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01928243 mov eax, dword ptr fs:[00000030h]10_2_01928243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01928243 mov ecx, dword ptr fs:[00000030h]10_2_01928243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A6259 mov eax, dword ptr fs:[00000030h]10_2_018A6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189A250 mov eax, dword ptr fs:[00000030h]10_2_0189A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01950274 mov eax, dword ptr fs:[00000030h]10_2_01950274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189826B mov eax, dword ptr fs:[00000030h]10_2_0189826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A4260 mov eax, dword ptr fs:[00000030h]10_2_018A4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A4260 mov eax, dword ptr fs:[00000030h]10_2_018A4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A4260 mov eax, dword ptr fs:[00000030h]10_2_018A4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D4588 mov eax, dword ptr fs:[00000030h]10_2_018D4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A2582 mov eax, dword ptr fs:[00000030h]10_2_018A2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A2582 mov ecx, dword ptr fs:[00000030h]10_2_018A2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE59C mov eax, dword ptr fs:[00000030h]10_2_018DE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019205A7 mov eax, dword ptr fs:[00000030h]10_2_019205A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019205A7 mov eax, dword ptr fs:[00000030h]10_2_019205A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019205A7 mov eax, dword ptr fs:[00000030h]10_2_019205A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C45B1 mov eax, dword ptr fs:[00000030h]10_2_018C45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C45B1 mov eax, dword ptr fs:[00000030h]10_2_018C45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE5CF mov eax, dword ptr fs:[00000030h]10_2_018DE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE5CF mov eax, dword ptr fs:[00000030h]10_2_018DE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A65D0 mov eax, dword ptr fs:[00000030h]10_2_018A65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA5D0 mov eax, dword ptr fs:[00000030h]10_2_018DA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA5D0 mov eax, dword ptr fs:[00000030h]10_2_018DA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DC5ED mov eax, dword ptr fs:[00000030h]10_2_018DC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DC5ED mov eax, dword ptr fs:[00000030h]10_2_018DC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A25E0 mov eax, dword ptr fs:[00000030h]10_2_018A25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE5E7 mov eax, dword ptr fs:[00000030h]10_2_018CE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE5E7 mov eax, dword ptr fs:[00000030h]10_2_018CE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE5E7 mov eax, dword ptr fs:[00000030h]10_2_018CE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE5E7 mov eax, dword ptr fs:[00000030h]10_2_018CE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE5E7 mov eax, dword ptr fs:[00000030h]10_2_018CE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE5E7 mov eax, dword ptr fs:[00000030h]10_2_018CE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE5E7 mov eax, dword ptr fs:[00000030h]10_2_018CE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE5E7 mov eax, dword ptr fs:[00000030h]10_2_018CE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01936500 mov eax, dword ptr fs:[00000030h]10_2_01936500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974500 mov eax, dword ptr fs:[00000030h]10_2_01974500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974500 mov eax, dword ptr fs:[00000030h]10_2_01974500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974500 mov eax, dword ptr fs:[00000030h]10_2_01974500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974500 mov eax, dword ptr fs:[00000030h]10_2_01974500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974500 mov eax, dword ptr fs:[00000030h]10_2_01974500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974500 mov eax, dword ptr fs:[00000030h]10_2_01974500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974500 mov eax, dword ptr fs:[00000030h]10_2_01974500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE53E mov eax, dword ptr fs:[00000030h]10_2_018CE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE53E mov eax, dword ptr fs:[00000030h]10_2_018CE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE53E mov eax, dword ptr fs:[00000030h]10_2_018CE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE53E mov eax, dword ptr fs:[00000030h]10_2_018CE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE53E mov eax, dword ptr fs:[00000030h]10_2_018CE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0535 mov eax, dword ptr fs:[00000030h]10_2_018B0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0535 mov eax, dword ptr fs:[00000030h]10_2_018B0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0535 mov eax, dword ptr fs:[00000030h]10_2_018B0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0535 mov eax, dword ptr fs:[00000030h]10_2_018B0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0535 mov eax, dword ptr fs:[00000030h]10_2_018B0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0535 mov eax, dword ptr fs:[00000030h]10_2_018B0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A8550 mov eax, dword ptr fs:[00000030h]10_2_018A8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A8550 mov eax, dword ptr fs:[00000030h]10_2_018A8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D656A mov eax, dword ptr fs:[00000030h]10_2_018D656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D656A mov eax, dword ptr fs:[00000030h]10_2_018D656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D656A mov eax, dword ptr fs:[00000030h]10_2_018D656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195A49A mov eax, dword ptr fs:[00000030h]10_2_0195A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A64AB mov eax, dword ptr fs:[00000030h]10_2_018A64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192A4B0 mov eax, dword ptr fs:[00000030h]10_2_0192A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D44B0 mov ecx, dword ptr fs:[00000030h]10_2_018D44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A04E5 mov ecx, dword ptr fs:[00000030h]10_2_018A04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D8402 mov eax, dword ptr fs:[00000030h]10_2_018D8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D8402 mov eax, dword ptr fs:[00000030h]10_2_018D8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D8402 mov eax, dword ptr fs:[00000030h]10_2_018D8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189E420 mov eax, dword ptr fs:[00000030h]10_2_0189E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189E420 mov eax, dword ptr fs:[00000030h]10_2_0189E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189E420 mov eax, dword ptr fs:[00000030h]10_2_0189E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189C427 mov eax, dword ptr fs:[00000030h]10_2_0189C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01926420 mov eax, dword ptr fs:[00000030h]10_2_01926420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01926420 mov eax, dword ptr fs:[00000030h]10_2_01926420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01926420 mov eax, dword ptr fs:[00000030h]10_2_01926420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01926420 mov eax, dword ptr fs:[00000030h]10_2_01926420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01926420 mov eax, dword ptr fs:[00000030h]10_2_01926420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01926420 mov eax, dword ptr fs:[00000030h]10_2_01926420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01926420 mov eax, dword ptr fs:[00000030h]10_2_01926420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA430 mov eax, dword ptr fs:[00000030h]10_2_018DA430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0195A456 mov eax, dword ptr fs:[00000030h]10_2_0195A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE443 mov eax, dword ptr fs:[00000030h]10_2_018DE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE443 mov eax, dword ptr fs:[00000030h]10_2_018DE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE443 mov eax, dword ptr fs:[00000030h]10_2_018DE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE443 mov eax, dword ptr fs:[00000030h]10_2_018DE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE443 mov eax, dword ptr fs:[00000030h]10_2_018DE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE443 mov eax, dword ptr fs:[00000030h]10_2_018DE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE443 mov eax, dword ptr fs:[00000030h]10_2_018DE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DE443 mov eax, dword ptr fs:[00000030h]10_2_018DE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189645D mov eax, dword ptr fs:[00000030h]10_2_0189645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C245A mov eax, dword ptr fs:[00000030h]10_2_018C245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192C460 mov ecx, dword ptr fs:[00000030h]10_2_0192C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CA470 mov eax, dword ptr fs:[00000030h]10_2_018CA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CA470 mov eax, dword ptr fs:[00000030h]10_2_018CA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CA470 mov eax, dword ptr fs:[00000030h]10_2_018CA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194678E mov eax, dword ptr fs:[00000030h]10_2_0194678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A07AF mov eax, dword ptr fs:[00000030h]10_2_018A07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019547A0 mov eax, dword ptr fs:[00000030h]10_2_019547A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AC7C0 mov eax, dword ptr fs:[00000030h]10_2_018AC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019207C3 mov eax, dword ptr fs:[00000030h]10_2_019207C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C27ED mov eax, dword ptr fs:[00000030h]10_2_018C27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C27ED mov eax, dword ptr fs:[00000030h]10_2_018C27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C27ED mov eax, dword ptr fs:[00000030h]10_2_018C27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A47FB mov eax, dword ptr fs:[00000030h]10_2_018A47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A47FB mov eax, dword ptr fs:[00000030h]10_2_018A47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192E7E1 mov eax, dword ptr fs:[00000030h]10_2_0192E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DC700 mov eax, dword ptr fs:[00000030h]10_2_018DC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A0710 mov eax, dword ptr fs:[00000030h]10_2_018A0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D0710 mov eax, dword ptr fs:[00000030h]10_2_018D0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191C730 mov eax, dword ptr fs:[00000030h]10_2_0191C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DC720 mov eax, dword ptr fs:[00000030h]10_2_018DC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DC720 mov eax, dword ptr fs:[00000030h]10_2_018DC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D273C mov eax, dword ptr fs:[00000030h]10_2_018D273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D273C mov ecx, dword ptr fs:[00000030h]10_2_018D273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D273C mov eax, dword ptr fs:[00000030h]10_2_018D273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D674D mov esi, dword ptr fs:[00000030h]10_2_018D674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D674D mov eax, dword ptr fs:[00000030h]10_2_018D674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D674D mov eax, dword ptr fs:[00000030h]10_2_018D674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01924755 mov eax, dword ptr fs:[00000030h]10_2_01924755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192E75D mov eax, dword ptr fs:[00000030h]10_2_0192E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A0750 mov eax, dword ptr fs:[00000030h]10_2_018A0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2750 mov eax, dword ptr fs:[00000030h]10_2_018E2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2750 mov eax, dword ptr fs:[00000030h]10_2_018E2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A8770 mov eax, dword ptr fs:[00000030h]10_2_018A8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0770 mov eax, dword ptr fs:[00000030h]10_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A4690 mov eax, dword ptr fs:[00000030h]10_2_018A4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A4690 mov eax, dword ptr fs:[00000030h]10_2_018A4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DC6A6 mov eax, dword ptr fs:[00000030h]10_2_018DC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D66B0 mov eax, dword ptr fs:[00000030h]10_2_018D66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA6C7 mov ebx, dword ptr fs:[00000030h]10_2_018DA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA6C7 mov eax, dword ptr fs:[00000030h]10_2_018DA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E6F2 mov eax, dword ptr fs:[00000030h]10_2_0191E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E6F2 mov eax, dword ptr fs:[00000030h]10_2_0191E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E6F2 mov eax, dword ptr fs:[00000030h]10_2_0191E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E6F2 mov eax, dword ptr fs:[00000030h]10_2_0191E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019206F1 mov eax, dword ptr fs:[00000030h]10_2_019206F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019206F1 mov eax, dword ptr fs:[00000030h]10_2_019206F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B260B mov eax, dword ptr fs:[00000030h]10_2_018B260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B260B mov eax, dword ptr fs:[00000030h]10_2_018B260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B260B mov eax, dword ptr fs:[00000030h]10_2_018B260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B260B mov eax, dword ptr fs:[00000030h]10_2_018B260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B260B mov eax, dword ptr fs:[00000030h]10_2_018B260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B260B mov eax, dword ptr fs:[00000030h]10_2_018B260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B260B mov eax, dword ptr fs:[00000030h]10_2_018B260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E2619 mov eax, dword ptr fs:[00000030h]10_2_018E2619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E609 mov eax, dword ptr fs:[00000030h]10_2_0191E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A262C mov eax, dword ptr fs:[00000030h]10_2_018A262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BE627 mov eax, dword ptr fs:[00000030h]10_2_018BE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D6620 mov eax, dword ptr fs:[00000030h]10_2_018D6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D8620 mov eax, dword ptr fs:[00000030h]10_2_018D8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018BC640 mov eax, dword ptr fs:[00000030h]10_2_018BC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA660 mov eax, dword ptr fs:[00000030h]10_2_018DA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA660 mov eax, dword ptr fs:[00000030h]10_2_018DA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196866E mov eax, dword ptr fs:[00000030h]10_2_0196866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196866E mov eax, dword ptr fs:[00000030h]10_2_0196866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D2674 mov eax, dword ptr fs:[00000030h]10_2_018D2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019289B3 mov esi, dword ptr fs:[00000030h]10_2_019289B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019289B3 mov eax, dword ptr fs:[00000030h]10_2_019289B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019289B3 mov eax, dword ptr fs:[00000030h]10_2_019289B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A09AD mov eax, dword ptr fs:[00000030h]10_2_018A09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A09AD mov eax, dword ptr fs:[00000030h]10_2_018A09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B29A0 mov eax, dword ptr fs:[00000030h]10_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196A9D3 mov eax, dword ptr fs:[00000030h]10_2_0196A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019369C0 mov eax, dword ptr fs:[00000030h]10_2_019369C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA9D0 mov eax, dword ptr fs:[00000030h]10_2_018AA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA9D0 mov eax, dword ptr fs:[00000030h]10_2_018AA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA9D0 mov eax, dword ptr fs:[00000030h]10_2_018AA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA9D0 mov eax, dword ptr fs:[00000030h]10_2_018AA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA9D0 mov eax, dword ptr fs:[00000030h]10_2_018AA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AA9D0 mov eax, dword ptr fs:[00000030h]10_2_018AA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D49D0 mov eax, dword ptr fs:[00000030h]10_2_018D49D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192E9E0 mov eax, dword ptr fs:[00000030h]10_2_0192E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D29F9 mov eax, dword ptr fs:[00000030h]10_2_018D29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D29F9 mov eax, dword ptr fs:[00000030h]10_2_018D29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192C912 mov eax, dword ptr fs:[00000030h]10_2_0192C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01898918 mov eax, dword ptr fs:[00000030h]10_2_01898918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01898918 mov eax, dword ptr fs:[00000030h]10_2_01898918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E908 mov eax, dword ptr fs:[00000030h]10_2_0191E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191E908 mov eax, dword ptr fs:[00000030h]10_2_0191E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192892A mov eax, dword ptr fs:[00000030h]10_2_0192892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0193892B mov eax, dword ptr fs:[00000030h]10_2_0193892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01920946 mov eax, dword ptr fs:[00000030h]10_2_01920946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974940 mov eax, dword ptr fs:[00000030h]10_2_01974940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E096E mov eax, dword ptr fs:[00000030h]10_2_018E096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E096E mov edx, dword ptr fs:[00000030h]10_2_018E096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018E096E mov eax, dword ptr fs:[00000030h]10_2_018E096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01944978 mov eax, dword ptr fs:[00000030h]10_2_01944978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01944978 mov eax, dword ptr fs:[00000030h]10_2_01944978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C6962 mov eax, dword ptr fs:[00000030h]10_2_018C6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C6962 mov eax, dword ptr fs:[00000030h]10_2_018C6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C6962 mov eax, dword ptr fs:[00000030h]10_2_018C6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192C97C mov eax, dword ptr fs:[00000030h]10_2_0192C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A0887 mov eax, dword ptr fs:[00000030h]10_2_018A0887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192C89D mov eax, dword ptr fs:[00000030h]10_2_0192C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CE8C0 mov eax, dword ptr fs:[00000030h]10_2_018CE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_019708C0 mov eax, dword ptr fs:[00000030h]10_2_019708C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196A8E4 mov eax, dword ptr fs:[00000030h]10_2_0196A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DC8F9 mov eax, dword ptr fs:[00000030h]10_2_018DC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DC8F9 mov eax, dword ptr fs:[00000030h]10_2_018DC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192C810 mov eax, dword ptr fs:[00000030h]10_2_0192C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194483A mov eax, dword ptr fs:[00000030h]10_2_0194483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194483A mov eax, dword ptr fs:[00000030h]10_2_0194483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C2835 mov eax, dword ptr fs:[00000030h]10_2_018C2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C2835 mov eax, dword ptr fs:[00000030h]10_2_018C2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C2835 mov eax, dword ptr fs:[00000030h]10_2_018C2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C2835 mov ecx, dword ptr fs:[00000030h]10_2_018C2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C2835 mov eax, dword ptr fs:[00000030h]10_2_018C2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C2835 mov eax, dword ptr fs:[00000030h]10_2_018C2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DA830 mov eax, dword ptr fs:[00000030h]10_2_018DA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B2840 mov ecx, dword ptr fs:[00000030h]10_2_018B2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A4859 mov eax, dword ptr fs:[00000030h]10_2_018A4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A4859 mov eax, dword ptr fs:[00000030h]10_2_018A4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D0854 mov eax, dword ptr fs:[00000030h]10_2_018D0854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192E872 mov eax, dword ptr fs:[00000030h]10_2_0192E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192E872 mov eax, dword ptr fs:[00000030h]10_2_0192E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01936870 mov eax, dword ptr fs:[00000030h]10_2_01936870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01936870 mov eax, dword ptr fs:[00000030h]10_2_01936870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01954BB0 mov eax, dword ptr fs:[00000030h]10_2_01954BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01954BB0 mov eax, dword ptr fs:[00000030h]10_2_01954BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0BBE mov eax, dword ptr fs:[00000030h]10_2_018B0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0BBE mov eax, dword ptr fs:[00000030h]10_2_018B0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194EBD0 mov eax, dword ptr fs:[00000030h]10_2_0194EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C0BCB mov eax, dword ptr fs:[00000030h]10_2_018C0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C0BCB mov eax, dword ptr fs:[00000030h]10_2_018C0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C0BCB mov eax, dword ptr fs:[00000030h]10_2_018C0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A0BCD mov eax, dword ptr fs:[00000030h]10_2_018A0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A0BCD mov eax, dword ptr fs:[00000030h]10_2_018A0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A0BCD mov eax, dword ptr fs:[00000030h]10_2_018A0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192CBF0 mov eax, dword ptr fs:[00000030h]10_2_0192CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CEBFC mov eax, dword ptr fs:[00000030h]10_2_018CEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A8BF0 mov eax, dword ptr fs:[00000030h]10_2_018A8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A8BF0 mov eax, dword ptr fs:[00000030h]10_2_018A8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A8BF0 mov eax, dword ptr fs:[00000030h]10_2_018A8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191EB1D mov eax, dword ptr fs:[00000030h]10_2_0191EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191EB1D mov eax, dword ptr fs:[00000030h]10_2_0191EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191EB1D mov eax, dword ptr fs:[00000030h]10_2_0191EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191EB1D mov eax, dword ptr fs:[00000030h]10_2_0191EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191EB1D mov eax, dword ptr fs:[00000030h]10_2_0191EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191EB1D mov eax, dword ptr fs:[00000030h]10_2_0191EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191EB1D mov eax, dword ptr fs:[00000030h]10_2_0191EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191EB1D mov eax, dword ptr fs:[00000030h]10_2_0191EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0191EB1D mov eax, dword ptr fs:[00000030h]10_2_0191EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974B00 mov eax, dword ptr fs:[00000030h]10_2_01974B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CEB20 mov eax, dword ptr fs:[00000030h]10_2_018CEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CEB20 mov eax, dword ptr fs:[00000030h]10_2_018CEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01968B28 mov eax, dword ptr fs:[00000030h]10_2_01968B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01968B28 mov eax, dword ptr fs:[00000030h]10_2_01968B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01972B57 mov eax, dword ptr fs:[00000030h]10_2_01972B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01972B57 mov eax, dword ptr fs:[00000030h]10_2_01972B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01972B57 mov eax, dword ptr fs:[00000030h]10_2_01972B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01972B57 mov eax, dword ptr fs:[00000030h]10_2_01972B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0194EB50 mov eax, dword ptr fs:[00000030h]10_2_0194EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01936B40 mov eax, dword ptr fs:[00000030h]10_2_01936B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01936B40 mov eax, dword ptr fs:[00000030h]10_2_01936B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0196AB40 mov eax, dword ptr fs:[00000030h]10_2_0196AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01948B42 mov eax, dword ptr fs:[00000030h]10_2_01948B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01898B50 mov eax, dword ptr fs:[00000030h]10_2_01898B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01954B4B mov eax, dword ptr fs:[00000030h]10_2_01954B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01954B4B mov eax, dword ptr fs:[00000030h]10_2_01954B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189CB7E mov eax, dword ptr fs:[00000030h]10_2_0189CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA80 mov eax, dword ptr fs:[00000030h]10_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA80 mov eax, dword ptr fs:[00000030h]10_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA80 mov eax, dword ptr fs:[00000030h]10_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA80 mov eax, dword ptr fs:[00000030h]10_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA80 mov eax, dword ptr fs:[00000030h]10_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA80 mov eax, dword ptr fs:[00000030h]10_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA80 mov eax, dword ptr fs:[00000030h]10_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA80 mov eax, dword ptr fs:[00000030h]10_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018AEA80 mov eax, dword ptr fs:[00000030h]10_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01974A80 mov eax, dword ptr fs:[00000030h]10_2_01974A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D8A90 mov edx, dword ptr fs:[00000030h]10_2_018D8A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A8AA0 mov eax, dword ptr fs:[00000030h]10_2_018A8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A8AA0 mov eax, dword ptr fs:[00000030h]10_2_018A8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018F6AA4 mov eax, dword ptr fs:[00000030h]10_2_018F6AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018F6ACC mov eax, dword ptr fs:[00000030h]10_2_018F6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018F6ACC mov eax, dword ptr fs:[00000030h]10_2_018F6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018F6ACC mov eax, dword ptr fs:[00000030h]10_2_018F6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A0AD0 mov eax, dword ptr fs:[00000030h]10_2_018A0AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D4AD0 mov eax, dword ptr fs:[00000030h]10_2_018D4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018D4AD0 mov eax, dword ptr fs:[00000030h]10_2_018D4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DAAEE mov eax, dword ptr fs:[00000030h]10_2_018DAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DAAEE mov eax, dword ptr fs:[00000030h]10_2_018DAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0192CA11 mov eax, dword ptr fs:[00000030h]10_2_0192CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018CEA2E mov eax, dword ptr fs:[00000030h]10_2_018CEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DCA24 mov eax, dword ptr fs:[00000030h]10_2_018DCA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018DCA38 mov eax, dword ptr fs:[00000030h]10_2_018DCA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C4A35 mov eax, dword ptr fs:[00000030h]10_2_018C4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018C4A35 mov eax, dword ptr fs:[00000030h]10_2_018C4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0A5B mov eax, dword ptr fs:[00000030h]10_2_018B0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018B0A5B mov eax, dword ptr fs:[00000030h]10_2_018B0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A6A50 mov eax, dword ptr fs:[00000030h]10_2_018A6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_018A6A50 mov eax, dword ptr fs:[00000030h]10_2_018A6A50
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe"
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWLOfOG.exe"
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWLOfOG.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtMapViewOfSection: Direct from: 0x77762D1C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtNotifyChangeKey: Direct from: 0x77763C2C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtCreateMutant: Direct from: 0x777635CC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtResumeThread: Direct from: 0x777636AC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtProtectVirtualMemory: Direct from: 0x77757B2E
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtQuerySystemInformation: Direct from: 0x77762DFC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtAllocateVirtualMemory: Direct from: 0x77762BFC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtDelayExecution: Direct from: 0x77762DDC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtQueryInformationProcess: Direct from: 0x77762C26
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtSetInformationThread: Direct from: 0x777563F9
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtAllocateVirtualMemory: Direct from: 0x77763C9C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtSetInformationThread: Direct from: 0x77762B4C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtQueryAttributesFile: Direct from: 0x77762E6C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtCreateKey: Direct from: 0x77762C6C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtQuerySystemInformation: Direct from: 0x777648CC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtOpenSection: Direct from: 0x77762E0C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtDeviceIoControlFile: Direct from: 0x77762AEC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtAllocateVirtualMemory: Direct from: 0x77762BEC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtQueryInformationToken: Direct from: 0x77762CAC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtTerminateThread: Direct from: 0x77762FCC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtCreateFile: Direct from: 0x77762FEC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtOpenFile: Direct from: 0x77762DCC
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtOpenKeyEx: Direct from: 0x77762B9C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtSetInformationProcess: Direct from: 0x77762C5C
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeNtProtectVirtualMemory: Direct from: 0x77762F9C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\MuiUnattend.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: NULL target: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exe protection: read write
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: NULL target: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\MuiUnattend.exeThread register set: target process: 8160
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\MuiUnattend.exeThread APC queued: target process: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exe
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1143008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D66008Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dWLOfOG.exe"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpC38C.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWLOfOG" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF1.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\NaTKAPkXiXYlhISftkeicbQCMpcaRxkMHIDFIDHgqLhDWFE\mCMv4ksWR9vP9.exeProcess created: C:\Windows\SysWOW64\MuiUnattend.exe "C:\Windows\SysWOW64\MuiUnattend.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: mCMv4ksWR9vP9.exe, 00000013.00000002.3770386854.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000000.1557600728.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3767757111.0000000000F60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: mCMv4ksWR9vP9.exe, 00000013.00000002.3770386854.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000000.1557600728.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3767757111.0000000000F60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: mCMv4ksWR9vP9.exe, 00000013.00000002.3770386854.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000000.1557600728.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3767757111.0000000000F60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: mCMv4ksWR9vP9.exe, 00000013.00000002.3770386854.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000013.00000000.1557600728.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, mCMv4ksWR9vP9.exe, 00000015.00000002.3767757111.0000000000F60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeQueries volume information: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeQueries volume information: C:\Users\user\AppData\Roaming\dWLOfOG.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\dWLOfOG.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RFQ RFQ-BA-00090303885-xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1631596445.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3771626831.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3759244019.0000000002940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3774270647.0000000004E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3771561486.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1630090977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.3771790216.0000000002380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1633416834.0000000001CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\MuiUnattend.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1631596445.0000000001800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3771626831.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3759244019.0000000002940000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3774270647.0000000004E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3771561486.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1630090977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.3771790216.0000000002380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1633416834.0000000001CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1608115 Sample: RFQ RFQ-BA-00090303885-xlsx.exe Startdate: 06/02/2025 Architecture: WINDOWS Score: 100 69 nocoma.berlin 2->69 71 www.x3kwqc5tye4vl90y.top 2->71 73 14 other IPs or domains 2->73 83 Suricata IDS alerts for network traffic 2->83 85 Antivirus detection for URL or domain 2->85 87 Sigma detected: Scheduled temp file as task from temp location 2->87 89 10 other signatures 2->89 10 RFQ RFQ-BA-00090303885-xlsx.exe 7 2->10         started        14 dWLOfOG.exe 5 2->14         started        signatures3 process4 file5 55 C:\Users\user\AppData\Roaming\dWLOfOG.exe, PE32 10->55 dropped 57 C:\Users\user\...\dWLOfOG.exe:Zone.Identifier, ASCII 10->57 dropped 59 C:\Users\user\AppData\Local\...\tmpC38C.tmp, XML 10->59 dropped 61 C:\...\RFQ RFQ-BA-00090303885-xlsx.exe.log, ASCII 10->61 dropped 91 Writes to foreign memory regions 10->91 93 Allocates memory in foreign processes 10->93 95 Adds a directory exclusion to Windows Defender 10->95 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        97 Multi AV Scanner detection for dropped file 14->97 99 Machine Learning detection for dropped file 14->99 101 Injects a PE file into a foreign processes 14->101 25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        29 RegSvcs.exe 14->29         started        31 RegSvcs.exe 14->31         started        signatures6 process7 signatures8 75 Maps a DLL or memory area into another process 16->75 33 mCMv4ksWR9vP9.exe 16->33 injected 77 Loading BitLocker PowerShell Module 19->77 36 WmiPrvSE.exe 19->36         started        38 conhost.exe 19->38         started        40 conhost.exe 21->40         started        42 conhost.exe 23->42         started        44 conhost.exe 25->44         started        process9 signatures10 79 Found direct / indirect Syscall (likely to bypass EDR) 33->79 46 MuiUnattend.exe 13 33->46         started        process11 signatures12 103 Tries to steal Mail credentials (via file / registry access) 46->103 105 Tries to harvest and steal browser information (history, passwords, etc) 46->105 107 Modifies the context of a thread in another process (thread injection) 46->107 109 3 other signatures 46->109 49 mCMv4ksWR9vP9.exe 46->49 injected 53 firefox.exe 46->53         started        process13 dnsIp14 63 nocoma.berlin 217.160.0.167, 49989, 49990, 49991 ONEANDONE-ASBrauerstrasse48DE Germany 49->63 65 an05-prod-x.cdn-ng.net 103.42.144.142, 49997, 49998, 49999 WSN-TW-NET-ASWorldstarNetworkTW Taiwan; Republic of China (ROC) 49->65 67 8 other IPs or domains 49->67 81 Found direct / indirect Syscall (likely to bypass EDR) 49->81 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.