Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment -Advice-6UoSFOxOntvuu94-PDF.exe

Overview

General Information

Sample name:Payment -Advice-6UoSFOxOntvuu94-PDF.exe
Analysis ID:1612355
MD5:1e41c183504e68b1e20afc635ea4bef8
SHA1:1a298be88294f0bfb671e160be3c0d2e99f7ac71
SHA256:895d51134ff58b23a2a81460e002598505dffc3fba80ee0e7df38508b87858bf
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Payment -Advice-6UoSFOxOntvuu94-PDF.exe (PID: 7652 cmdline: "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe" MD5: 1E41C183504E68B1E20AFC635EA4BEF8)
    • powershell.exe (PID: 7944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XPNlWEtXW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7460 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 8008 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8188 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7184 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • pxnPNuGwnboybvBniSgRpp.exe (PID: 6640 cmdline: "C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\5pkwhImFGJa.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • MuiUnattend.exe (PID: 3492 cmdline: "C:\Windows\SysWOW64\MuiUnattend.exe" MD5: 3D5B670CE8E58D9434946FDD1325553D)
          • pxnPNuGwnboybvBniSgRpp.exe (PID: 6276 cmdline: "C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\LwTOJf5DKgE.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 2148 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • XPNlWEtXW.exe (PID: 2420 cmdline: C:\Users\user\AppData\Roaming\XPNlWEtXW.exe MD5: 1E41C183504E68B1E20AFC635EA4BEF8)
    • schtasks.exe (PID: 1420 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 3184 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.3833175414.0000000000B50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.1745344839.0000000006030000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000015.00000002.3832837621.00000000009D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000015.00000002.3829898714.0000000000600000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.1675681898.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", ParentImage: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ParentProcessId: 7652, ParentProcessName: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", ProcessId: 7944, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", ParentImage: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ParentProcessId: 7652, ParentProcessName: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", ProcessId: 7944, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XPNlWEtXW.exe, ParentImage: C:\Users\user\AppData\Roaming\XPNlWEtXW.exe, ParentProcessId: 2420, ParentProcessName: XPNlWEtXW.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1B.tmp", ProcessId: 1420, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", ParentImage: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ParentProcessId: 7652, ParentProcessName: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp", ProcessId: 8008, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", ParentImage: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ParentProcessId: 7652, ParentProcessName: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", ProcessId: 7944, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe", ParentImage: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ParentProcessId: 7652, ParentProcessName: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp", ProcessId: 8008, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T18:51:03.050129+010028554651A Network Trojan was detected192.168.2.949980188.114.97.380TCP
                2025-02-11T18:51:24.653280+010028554651A Network Trojan was detected192.168.2.949985199.59.243.22880TCP
                2025-02-11T18:51:38.094063+010028554651A Network Trojan was detected192.168.2.94998967.223.117.18980TCP
                2025-02-11T18:51:51.575343+010028554651A Network Trojan was detected192.168.2.949993217.160.0.16780TCP
                2025-02-11T18:52:04.994990+010028554651A Network Trojan was detected192.168.2.949997104.21.4.2380TCP
                2025-02-11T18:52:36.115793+010028554651A Network Trojan was detected192.168.2.950001103.117.135.1380TCP
                2025-02-11T18:52:49.455736+010028554651A Network Trojan was detected192.168.2.95000547.254.140.25580TCP
                2025-02-11T18:53:04.726745+010028554651A Network Trojan was detected192.168.2.950009208.91.197.2780TCP
                2025-02-11T18:53:38.779620+010028554651A Network Trojan was detected192.168.2.95001318.163.74.13980TCP
                2025-02-11T18:53:52.201092+010028554651A Network Trojan was detected192.168.2.950017188.114.97.380TCP
                2025-02-11T18:54:06.848644+010028554651A Network Trojan was detected192.168.2.950021156.226.63.1380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T18:51:17.038955+010028554641A Network Trojan was detected192.168.2.949982199.59.243.22880TCP
                2025-02-11T18:51:19.585309+010028554641A Network Trojan was detected192.168.2.949983199.59.243.22880TCP
                2025-02-11T18:51:22.104034+010028554641A Network Trojan was detected192.168.2.949984199.59.243.22880TCP
                2025-02-11T18:51:30.298406+010028554641A Network Trojan was detected192.168.2.94998667.223.117.18980TCP
                2025-02-11T18:51:32.981921+010028554641A Network Trojan was detected192.168.2.94998767.223.117.18980TCP
                2025-02-11T18:51:35.550338+010028554641A Network Trojan was detected192.168.2.94998867.223.117.18980TCP
                2025-02-11T18:51:43.990926+010028554641A Network Trojan was detected192.168.2.949990217.160.0.16780TCP
                2025-02-11T18:51:46.469991+010028554641A Network Trojan was detected192.168.2.949991217.160.0.16780TCP
                2025-02-11T18:51:49.018436+010028554641A Network Trojan was detected192.168.2.949992217.160.0.16780TCP
                2025-02-11T18:51:57.257990+010028554641A Network Trojan was detected192.168.2.949994104.21.4.2380TCP
                2025-02-11T18:51:59.851774+010028554641A Network Trojan was detected192.168.2.949995104.21.4.2380TCP
                2025-02-11T18:52:02.391428+010028554641A Network Trojan was detected192.168.2.949996104.21.4.2380TCP
                2025-02-11T18:52:28.481405+010028554641A Network Trojan was detected192.168.2.949998103.117.135.1380TCP
                2025-02-11T18:52:31.066714+010028554641A Network Trojan was detected192.168.2.949999103.117.135.1380TCP
                2025-02-11T18:52:33.562723+010028554641A Network Trojan was detected192.168.2.950000103.117.135.1380TCP
                2025-02-11T18:52:41.793528+010028554641A Network Trojan was detected192.168.2.95000247.254.140.25580TCP
                2025-02-11T18:52:44.406328+010028554641A Network Trojan was detected192.168.2.95000347.254.140.25580TCP
                2025-02-11T18:52:46.912489+010028554641A Network Trojan was detected192.168.2.95000447.254.140.25580TCP
                2025-02-11T18:52:55.275305+010028554641A Network Trojan was detected192.168.2.950006208.91.197.2780TCP
                2025-02-11T18:52:58.011456+010028554641A Network Trojan was detected192.168.2.950007208.91.197.2780TCP
                2025-02-11T18:53:00.639171+010028554641A Network Trojan was detected192.168.2.950008208.91.197.2780TCP
                2025-02-11T18:53:11.294102+010028554641A Network Trojan was detected192.168.2.95001018.163.74.13980TCP
                2025-02-11T18:53:13.841032+010028554641A Network Trojan was detected192.168.2.95001118.163.74.13980TCP
                2025-02-11T18:53:16.389385+010028554641A Network Trojan was detected192.168.2.95001218.163.74.13980TCP
                2025-02-11T18:53:44.501343+010028554641A Network Trojan was detected192.168.2.950014188.114.97.380TCP
                2025-02-11T18:53:47.056337+010028554641A Network Trojan was detected192.168.2.950015188.114.97.380TCP
                2025-02-11T18:53:49.608440+010028554641A Network Trojan was detected192.168.2.950016188.114.97.380TCP
                2025-02-11T18:53:58.676255+010028554641A Network Trojan was detected192.168.2.950018156.226.63.1380TCP
                2025-02-11T18:54:01.279618+010028554641A Network Trojan was detected192.168.2.950019156.226.63.1380TCP
                2025-02-11T18:54:04.100618+010028554641A Network Trojan was detected192.168.2.950020156.226.63.1380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.odvfr.info/mx4t/Avira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeAvira: detection malicious, Label: HEUR/AGEN.1304432
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeReversingLabs: Detection: 67%
                Multi AV Scanner detection for submitted file
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeVirustotal: Detection: 39%Perma Link
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeReversingLabs: Detection: 67%
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000015.00000002.3833175414.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1745344839.0000000006030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3832837621.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3829898714.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1675681898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3833562296.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1679343673.0000000001910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeJoe Sandbox ML: detected
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RegSvcs.pdb, source: MuiUnattend.exe, 00000015.00000002.3835391558.000000000340C000.00000004.10000000.00040000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3830512834.000000000089E000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1742620052.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.1967652972.0000000028F0C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.1677080018.0000000001530000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3833803663.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3833803663.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000003.1677763924.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000003.1675663097.0000000000A58000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.1677080018.0000000001530000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3833803663.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3833803663.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000003.1677763924.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000003.1675663097.0000000000A58000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: MUIUnattend.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.1676140408.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000003.1613850299.0000000001365000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000002.3831941678.0000000001378000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: MUIUnattend.pdb source: RegSvcs.exe, 0000000A.00000002.1676140408.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000003.1613850299.0000000001365000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000002.3831941678.0000000001378000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: MuiUnattend.exe, 00000015.00000002.3835391558.000000000340C000.00000004.10000000.00040000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3830512834.000000000089E000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1742620052.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.1967652972.0000000028F0C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000000.1597869467.000000000013F000.00000002.00000001.01000000.0000000D.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1741837561.000000000013F000.00000002.00000001.01000000.0000000D.sdmp
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 4x nop then jmp 06D0EFBEh11_2_06D0F68B

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49980 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49982 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49984 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49983 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49985 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49993 -> 217.160.0.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49988 -> 67.223.117.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49999 -> 103.117.135.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49990 -> 217.160.0.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50003 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49989 -> 67.223.117.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49987 -> 67.223.117.189:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49998 -> 103.117.135.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49992 -> 217.160.0.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50007 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:50005 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50006 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:50009 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50011 -> 18.163.74.139:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50010 -> 18.163.74.139:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49997 -> 104.21.4.23:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50008 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50015 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:50021 -> 156.226.63.13:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:50017 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50019 -> 156.226.63.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50018 -> 156.226.63.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50012 -> 18.163.74.139:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50020 -> 156.226.63.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50002 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50014 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49986 -> 67.223.117.189:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:50001 -> 103.117.135.13:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49994 -> 104.21.4.23:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49995 -> 104.21.4.23:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50016 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49991 -> 217.160.0.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49996 -> 104.21.4.23:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:50013 -> 18.163.74.139:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50004 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:50000 -> 103.117.135.13:80
                Source: Joe Sandbox ViewIP Address: 67.223.117.189 67.223.117.189
                Source: Joe Sandbox ViewIP Address: 217.160.0.167 217.160.0.167
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /bdqz/?5Np01b=3EFwHvl7kAnwrw6cr4YoLmo0KPtW3BBcFs6upFqRoaduv0/9QPc6T3r6HHR+m6eKjCencw550LpZW+YE9P3Fn0jdLdiwEizHTkdR4faOWoQH6fkp7A==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.clzt.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /0lb6/?5Np01b=RsQ2O/vAe7gHsCnGLZJ7WlI729vZ5lfjfmfst51sI9Ho3cPPd3gRP6MYnvqBVSa2zA9t2QCTgOITMaJH0PDG2okmbEirnBVq1R5dzdcue6klq/FCxg==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.marketyemen.holdingsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /c9gw/?5Np01b=SsunhYVICuYhVrYXF5l0Rze8GVkMgaCZrexMfD2Sd3wSp/7lNUzttLQCA4G0Bl3oW5CVngPV7bcZdzD7vschZ4F6ivADRlBfQ4/dz2wSTt6KbqegBw==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.visionaryb.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2i73/?5Np01b=upwob849MgwLlxGXW4RAkL3N1QiGySBlt+fAe1SpeGkaX6TUtmoM4wbQzfITto/a/mETwjZ65KAHF7SHziDl/TGYSW7k7L4Z9zYSzVGvPxCacVyCJw==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.nocoma.berlinAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1pei/?5Np01b=2c+e0oB0PhFplG55K8WWH4toHd1C2jXyLcBv9RpMVNHlUIePnpNGQEc4+2n3m/pgL/muBIq7zC9i8mXywURhRg9GM9ycT8EzhihhfGVKcVJ6mWepyw==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.jyshe18.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ubi8/?5Np01b=JBBZe45r1zHR61EXYE3jrtmFQAuUsNCUeqnwaHGWry1YCoR5R9C3of6qt1Xeok6JQYepn2uot/lzXpYwprc5Gjc2w/N9DhDjXMAHLPWUZmT0rKYx9A==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.dffmdogmyftftv2e.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /mx4t/?5Np01b=CBM4fganU1nouDP5gq7973XyqJYfY1suj2m0EjSYllKVfylKulo3Q9YCNzkMq41zl0FNatlanjFJI4hqfTeUWXpfICF9tcanzVbF7520SZpy+i2sQA==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.odvfr.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /7dbs/?5Np01b=W0h7Mz5I8JUpGlckzU0CyRO1IZxMGX/XDZTxuEzyuvwMy7awh9AyKQ1l+7gQys7+qwgfjGSyzA4c6PFqXyu+yfNh+TFSDH1lK1pprXRAk1xJv2UMYA==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.epayassist.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /sm7g/?5Np01b=Jtz03/p5UZ5tFpOO533MTh0AvjsYyoWH9JBFgzvyrp3AhZcd7KCKS2brdbUWY47k6XXD3RVUZb/VZZqKrX74nIOX3EWyp+rhJF7c29mMBEKnLtrzoA==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.fzmmkj.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /bc93/?5Np01b=ftlEd50ggHfII0WAa2IxPcV6fFP3E2SWADrO90FrZZEco6hHwNKeX6Q8g1Zb9CuiZ1uL8vBBOMjmzZ/8xJemM2BUr9pxriX+T0LLjVOLW4BOdi9jGg==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.desktitle.homesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /3rpf/?5Np01b=C2I8TEjqO9RUWXPZUs3taF+JTPKHuAdYsVdGLDGDXtX5f6BvFUcsKwbTSZjjkKXyaIGDKFO2GMFseEmBk28fNuLrPfGW47zN/Dqe7knRAg+A6C2j+g==&zH9tz=qtzTFZW8YFk46bp HTTP/1.1Host: www.wuyyv4tq.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.clzt.shop
                Source: global trafficDNS traffic detected: DNS query: www.x3kwqc5tye4vl90y.top
                Source: global trafficDNS traffic detected: DNS query: www.marketyemen.holdings
                Source: global trafficDNS traffic detected: DNS query: www.visionaryb.site
                Source: global trafficDNS traffic detected: DNS query: www.nocoma.berlin
                Source: global trafficDNS traffic detected: DNS query: www.jyshe18.buzz
                Source: global trafficDNS traffic detected: DNS query: www.reynamart.store
                Source: global trafficDNS traffic detected: DNS query: www.nhengtai.net
                Source: global trafficDNS traffic detected: DNS query: www.dffmdogmyftftv2e.cyou
                Source: global trafficDNS traffic detected: DNS query: www.odvfr.info
                Source: global trafficDNS traffic detected: DNS query: www.epayassist.net
                Source: global trafficDNS traffic detected: DNS query: www.fzmmkj.shop
                Source: global trafficDNS traffic detected: DNS query: www.desktitle.homes
                Source: global trafficDNS traffic detected: DNS query: www.wuyyv4tq.top
                Source: unknownHTTP traffic detected: POST /0lb6/ HTTP/1.1Host: www.marketyemen.holdingsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Content-Length: 195Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Origin: http://www.marketyemen.holdingsReferer: http://www.marketyemen.holdings/0lb6/User-Agent: Mozilla/5.0 (Linux; Ubuntu 14.04 like Android 4.4) AppleWebKit/537.36 Chromium/35.0.1870.2 Mobile Safari/537.36Data Raw: 35 4e 70 30 31 62 3d 63 75 34 57 4e 49 61 4d 42 2b 41 65 67 30 32 4c 46 59 55 75 57 54 42 39 7a 72 32 6a 32 33 50 4e 56 68 4c 42 31 70 35 31 42 65 4c 67 68 76 58 65 49 57 63 30 54 62 6c 30 68 2f 4f 2b 44 78 50 43 67 79 6b 5a 38 32 65 7a 6e 71 6b 79 5a 4c 63 30 74 2b 50 4a 39 35 4d 63 64 77 66 4c 68 52 42 75 7a 77 31 62 78 74 38 79 64 35 55 70 6a 63 38 36 77 76 39 4c 62 51 56 37 71 6f 6f 7a 39 49 53 41 53 36 69 6c 50 4d 6a 7a 59 69 59 55 42 52 76 56 70 59 77 76 59 33 36 31 55 78 2f 53 6a 4f 39 63 7a 36 61 2f 4e 41 79 78 79 73 38 45 62 58 58 73 45 41 73 62 31 57 72 6c 5a 52 55 66 Data Ascii: 5Np01b=cu4WNIaMB+Aeg02LFYUuWTB9zr2j23PNVhLB1p51BeLghvXeIWc0Tbl0h/O+DxPCgykZ82eznqkyZLc0t+PJ95McdwfLhRBuzw1bxt8yd5Upjc86wv9LbQV7qooz9ISAS6ilPMjzYiYUBRvVpYwvY361Ux/SjO9cz6a/NAyxys8EbXXsEAsb1WrlZRUf
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:51:30 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:51:32 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:51:35 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:51:37 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Feb 2025 17:52:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BFC933ED4588090EA4E3976C6950E15137E0CD62A26FDB05D3E02EFD400Set-Cookie: _csrf=f124b711bc90fbaf1a2e0935fc3326dc53d125ba8f8d58999a2580f0c67be1eba%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%222PPYCDKWNP956jV0IjbgU0skA9lhuboL%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 35 36 43 57 31 50 5a 5f 6a 75 4a 47 4c 30 42 52 47 59 62 64 39 71 62 43 36 4d 31 71 79 38 69 4b 54 77 4a 74 71 50 4d 4d 4b 30 4c 56 38 4d 61 4e 74 54 76 46 74 51 68 5f 65 57 51 76 37 49 76 47 37 36 69 4b 71 6a 5f 37 75 2d 45 4f 4f 77 48 41 68 6d 35 45 44 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Feb 2025 17:52:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B207818795F3C29F5A72095E55C2F5F7B6420F7218E672B02EC690A8800Set-Cookie: _csrf=1fdf9ea5501fc871fa1de6dbda65e4f90be6dd56b76a5a9ca4c30a0f7a2b6205a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22WX7QTwgZ6IXpHJu8En3C3mHVPYzvjRMZ%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 42 50 68 75 70 63 55 79 65 38 34 58 5f 34 7a 2d 32 74 49 76 5a 66 47 54 72 32 37 52 74 70 30 73 6a 64 73 6e 4e 6d 37 71 49 33 39 54 6f 46 6e 30 6b 55 55 63 6c 43 47 32 31 49 36 53 6d 46 70 64 74 50 32 63 4c 65 4c 62 31 58 72 64 67 6c 31 41 42 4c 68 75 4a 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Feb 2025 17:52:46 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B7A88314F8937BA751E48AFBBB3CA2C6194644790638CB71A8D3B549B00Set-Cookie: _csrf=dafac083075b1650324ff5d3cd9e240766b2ef5a025e95beca2219a6ba256a9aa%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22aDvIAy-PcVh0TCAeAsOaBiWQHDNgD6_i%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 36 38 43 2d 56 50 70 66 50 4c 79 42 49 64 6e 5f 2d 76 50 73 64 6d 45 47 73 4f 50 75 64 50 37 37 46 64 54 6a 5f 70 47 6e 55 61 57 4b 68 4d 67 64 75 79 59 52 37 4f 4a 33 73 63 2d 75 73 4b 30 54 49 48 58 5f 67 71 77 64 71 61 70 64 6b 4b 32 5a 31 5a 45 4f 7a 41 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Tue, 11 Feb 2025 17:52:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BC11DEF17FAEB91B99E36838273F43B467EDEFB3DA5422D3D50E35E5100Set-Cookie: _csrf=38786f2fd1c222c3a71a77eccac1ccca3cb201cbfd84855336f310edc1ea96b9a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22FmuoAxNaxjbEVW9dxchBQvU1RUxJ-Ytg%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 6b 6a 6e 6a 50 76 53 48 41 35 4f 6f 44 54 7a 61 78 4a 73 31 50 47 34 71 41 38 5f 65 7a 33 50 57 58 4f 57 61 4b 4f 6f 4e 58 70 33 55 56 4a 5a 52 74 66 39 4e 38 74 42 6e 58 70 2d 53 7a 41 78 59 46 6b 6c 72 6a 59 2d 35 4a 75 63 4f 73 4f 4a 69 78 31 51 71 2d 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:53:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=ourhqounamegjfe00nmbc7pmigme5761; expires=Tue, 18-Feb-2025 17:53:44 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e0GehXgv80oaziVztguKJIW%2Fqh%2FH4RYkVtsRcJlZVz%2Bn26OE5TpvZVtZ0UoFFnGtdHQNlIhO6DbYar4AzNOEcZMMKZofCrgcATA28hbeWaCGf%2Bw%2FuXvkk4Ija4%2BYEdg2YcIdqGgo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9106333b9b19434f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1588&rtt_var=794&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=725&delivery_rate=0&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 59 dd 8e e3 b6 15 be 9f a7 38 cb 2d 10 0f 60 49 f6 64 76 33 33 6b 39 48 26 1b 20 40 fe d0 4e 90 06 db c5 80 26 8f 2c ce 50 a4 96 a4 ec 71 b2 0b 04 bd e8 13 f4 05 7a 59 f4 26 17 0d d0 a2 c8 4d 9e 60 f2 0a 7d 92 82 94 64 cb 1e db 3b d9 26 28 aa 0b 8b 3a fa ce e1 39 87 e7 87 94 47 0f 3e f8 ec fc e2 ab cf 9f 42 ee 0a 39 3e 18 f9 1b 48 aa a6 29 31 d5 e5 6f bf 20 9e 86 Data Ascii: 913Y8-`Idv33k9H& @N&,PqzY&M`}d;&(:9G>B9>H)1o
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:53:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=n62ds2j0g44gfskfjll39866ad7c37r5; expires=Tue, 18-Feb-2025 17:53:46 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cx32uDXHHQh%2F8ajkUi4hZ%2B8jL7UKGWr2ExQ6ouPlcTMHgQ%2FW2g%2BI%2FL8df09Lt021aDKIkQ0REllIFnZw%2Fr8nRc6x%2BQqnC810Ro9Kr4TR5OOONZe3GeDgT5F0H0fDJpZiXDAziEg6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9106334b6ffc4263-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1891&min_rtt=1891&rtt_var=945&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=749&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 59 dd 8e e3 b6 15 be 9f a7 38 cb 2d 10 0f 60 49 f6 64 76 33 33 6b 39 48 26 1b 20 40 fe d0 4e 90 06 db c5 80 26 8f 2c ce 50 a4 96 a4 ec 71 b2 0b 04 bd e8 13 f4 05 7a 59 f4 26 17 0d d0 a2 c8 4d 9e 60 f2 0a 7d 92 82 94 64 cb 1e db 3b d9 26 28 aa 0b 8b 3a fa ce e1 39 87 e7 87 94 47 0f 3e f8 ec fc e2 ab cf 9f 42 ee 0a 39 3e 18 f9 1b 48 aa a6 29 31 d5 e5 6f bf 20 Data Ascii: 908Y8-`Idv33k9H& @N&,PqzY&M`}d;&(:9G>B9>H)1o
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:53:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=s5tfcdepnflvn0ppj0b4t53778530d6r; expires=Tue, 18-Feb-2025 17:53:49 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xBmL9W0%2BmkZy8ZnSEPhtXtq56uq0cnTIngukh3UOpq4LvF7R0JIbyBYxaObmFLrfUWaJPVkrlAzSAnhT0dAebXjVUbAm5FnpXTQdqTJaqzyDq3X56HSSLEqkG9PYB6xQUBl8mOoR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9106335b7c594239-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1788&rtt_var=894&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1762&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 30 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 59 dd 8e e3 b6 15 be 9f a7 38 cb 2d 10 0f 60 49 f6 64 76 33 33 6b 39 48 26 1b 20 40 fe d0 4e 90 06 db c5 80 26 8f 2c ce 50 a4 96 a4 ec 71 b2 0b 04 bd e8 13 f4 05 7a 59 f4 26 17 0d d0 a2 c8 4d 9e 60 f2 0a 7d 92 82 94 64 cb 1e db 3b d9 26 28 aa 0b 8b 3a fa ce e1 39 87 e7 87 94 47 0f 3e f8 ec fc e2 ab cf 9f 42 ee 0a 39 3e 18 f9 1b 48 aa a6 29 31 d5 e5 6f bf 20 9e 86 94 8f 0f 00 00 46 05 3a 0a Data Ascii: 908Y8-`Idv33k9H& @N&,PqzY&M`}d;&(:9G>B9>H)1o F:
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:53:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: JSESSID=f016cvb8jtddrcebujccfar6eghac7u0; expires=Tue, 18-Feb-2025 17:53:52 GMT; Max-Age=604800; path=/; secure; HttpOnly; SameSite=NoneExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oi%2FmvBQvVlPgjg%2FDbPemdHuXeXqYZLd9noKKI2uyfHg42ZHyR%2FX4W59PWAFqgEyhBZ070%2BJwCuWPpc8Jf4SsAQPR5g3RZ3SLIvtNFN44F5wHA94j7jmPwqcdIg7kBChsCPKf%2BCr7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9106336b5a793354-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1964&min_rtt=1964&rtt_var=982&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=468&delivery_rate=0&cwnd=112&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 63 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 5f 52 55 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 20 20 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 20 69 6e 69 74 69 Data Ascii: 1c00<!DOCTYPE html><html lang="ru_RU"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, user-scalable=no, initi
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 11 Feb 2025 17:53:58 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 11 Feb 2025 17:54:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 11 Feb 2025 17:54:03 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 11 Feb 2025 17:54:06 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, XPNlWEtXW.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, XPNlWEtXW.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, XPNlWEtXW.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, 00000000.00000002.1462994194.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Payment -Advice-6UoSFOxOntvuu94-PDF.exe, 00000000.00000002.1462994194.0000000002AEC000.00000004.00000800.00020000.00000000.sdmp, XPNlWEtXW.exe, 0000000B.00000002.1614860544.0000000002995000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: MuiUnattend.exe, 00000015.00000002.3835391558.0000000003FCE000.00000004.10000000.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3834366263.000000000370E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jyshe18.buzz/
                Source: pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3833275752.0000000002768000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyyv4tq.top
                Source: pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3833275752.0000000002768000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wuyyv4tq.top/3rpf/
                Source: MuiUnattend.exe, 00000015.00000002.3837899362.000000000762A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: MuiUnattend.exe, 00000015.00000002.3837899362.000000000762A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: MuiUnattend.exe, 00000015.00000002.3835391558.0000000004ACC000.00000004.10000000.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3834366263.000000000420C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/yandex-metrica-watch/tag.js
                Source: MuiUnattend.exe, 00000015.00000002.3837899362.000000000762A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: MuiUnattend.exe, 00000015.00000002.3837899362.000000000762A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3834366263.0000000003EE8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: MuiUnattend.exe, 00000015.00000002.3837899362.000000000762A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: MuiUnattend.exe, 00000015.00000002.3837899362.000000000762A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: MuiUnattend.exe, 00000015.00000002.3837899362.000000000762A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: MuiUnattend.exe, 00000015.00000002.3835391558.0000000004484000.00000004.10000000.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3834366263.0000000003BC4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://error.skycloud.tw/system/error?code=400
                Source: MuiUnattend.exe, 00000015.00000002.3835391558.0000000003CAA000.00000004.10000000.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3834366263.00000000033EA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: MuiUnattend.exe, 00000015.00000002.3830512834.00000000008B9000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3830512834.00000000008EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: MuiUnattend.exe, 00000015.00000002.3830512834.00000000008EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: MuiUnattend.exe, 00000015.00000003.1855099193.000000000760B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: MuiUnattend.exe, 00000015.00000002.3830512834.00000000008B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: MuiUnattend.exe, 00000015.00000002.3830512834.00000000008B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: MuiUnattend.exe, 00000015.00000002.3830512834.00000000008B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: MuiUnattend.exe, 00000015.00000002.3830512834.00000000008EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, XPNlWEtXW.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: MuiUnattend.exe, 00000015.00000002.3837899362.000000000762A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: MuiUnattend.exe, 00000015.00000002.3835391558.0000000003B18000.00000004.10000000.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3834366263.0000000003258000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3834366263.000000000357C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.strato.de

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000015.00000002.3833175414.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1745344839.0000000006030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3832837621.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3829898714.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1675681898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3833562296.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1679343673.0000000001910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Payment -Advice-6UoSFOxOntvuu94-PDF.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042CB93 NtClose,10_2_0042CB93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040AD14 NtDelayExecution,10_2_0040AD14
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A35C0 NtCreateMutant,LdrInitializeThunk,10_2_015A35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2B60 NtClose,LdrInitializeThunk,10_2_015A2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_015A2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_015A2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A3010 NtOpenDirectoryObject,10_2_015A3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A3090 NtSetValueKey,10_2_015A3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A4340 NtSetContextThread,10_2_015A4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A4650 NtSuspendThread,10_2_015A4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A39B0 NtGetContextThread,10_2_015A39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2BF0 NtAllocateVirtualMemory,10_2_015A2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2BE0 NtQueryValueKey,10_2_015A2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2B80 NtQueryInformationFile,10_2_015A2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2BA0 NtEnumerateValueKey,10_2_015A2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2AD0 NtReadFile,10_2_015A2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2AF0 NtWriteFile,10_2_015A2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2AB0 NtWaitForSingleObject,10_2_015A2AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A3D70 NtOpenThread,10_2_015A3D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2D10 NtMapViewOfSection,10_2_015A2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A3D10 NtOpenProcessToken,10_2_015A3D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2D00 NtSetInformationFile,10_2_015A2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2D30 NtUnmapViewOfSection,10_2_015A2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2DD0 NtDelayExecution,10_2_015A2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2DB0 NtEnumerateKey,10_2_015A2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2C60 NtCreateKey,10_2_015A2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2C00 NtQueryInformationProcess,10_2_015A2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2CC0 NtQueryVirtualMemory,10_2_015A2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2CF0 NtOpenProcess,10_2_015A2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2CA0 NtQueryInformationToken,10_2_015A2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2F60 NtCreateProcessEx,10_2_015A2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2F30 NtCreateSection,10_2_015A2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2FE0 NtCreateFile,10_2_015A2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2F90 NtProtectVirtualMemory,10_2_015A2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2FB0 NtResumeThread,10_2_015A2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2FA0 NtQuerySection,10_2_015A2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2E30 NtWriteVirtualMemory,10_2_015A2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2EE0 NtQueueApcThread,10_2_015A2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2E80 NtReadVirtualMemory,10_2_015A2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A2EA0 NtAdjustPrivilegesToken,10_2_015A2EA0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_00AADFC40_2_00AADFC4
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C59E480_2_06C59E48
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5A6680_2_06C5A668
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5BF780_2_06C5BF78
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C51A400_2_06C51A40
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5B0680_2_06C5B068
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5CE400_2_06C5CE40
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C566500_2_06C56650
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5CE500_2_06C5CE50
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5A6580_2_06C5A658
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C59E380_2_06C59E38
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C58F580_2_06C58F58
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C58F680_2_06C58F68
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5BF250_2_06C5BF25
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5E4C00_2_06C5E4C0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5DC900_2_06C5DC90
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5DCA00_2_06C5DCA0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5E4B10_2_06C5E4B1
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5E2200_2_06C5E220
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5E2300_2_06C5E230
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C51A300_2_06C51A30
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5E0C00_2_06C5E0C0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5E0B00_2_06C5E0B0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5B0580_2_06C5B058
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5D9CA0_2_06C5D9CA
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB43180_2_06EB4318
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB29A00_2_06EB29A0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EBF6980_2_06EBF698
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB47EA0_2_06EB47EA
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB47F00_2_06EB47F0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EBB4B00_2_06EBB4B0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB430A0_2_06EB430A
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB30E00_2_06EB30E0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB30D10_2_06EB30D1
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB00400_2_06EB0040
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB00210_2_06EB0021
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB00060_2_06EB0006
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB2E880_2_06EB2E88
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB2E790_2_06EB2E79
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB2C280_2_06EB2C28
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB3C280_2_06EB3C28
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB3C380_2_06EB3C38
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB2C380_2_06EB2C38
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EBBD200_2_06EBBD20
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EBDAA80_2_06EBDAA8
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EBB8E80_2_06EBB8E8
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB29900_2_06EB2990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00418A3310_2_00418A33
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040289010_2_00402890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004011D010_2_004011D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004031D010_2_004031D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042F1F310_2_0042F1F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0041019A10_2_0041019A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004101A310_2_004101A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004103C310_2_004103C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E3A310_2_0040E3A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040142010_2_00401420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00416C2E10_2_00416C2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00416C3310_2_00416C33
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00402CC010_2_00402CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004024CF10_2_004024CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004024D010_2_004024D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E4E710_2_0040E4E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E4F310_2_0040E4F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E53C10_2_0040E53C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F815810_2_015F8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0163B16B10_2_0163B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F17210_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A516C10_2_015A516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156010010_2_01560100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160A11810_2_0160A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016281CC10_2_016281CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016301AA10_2_016301AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157B1B010_2_0157B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162F0E010_2_0162F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016270E910_2_016270E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C010_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161F0CC10_2_0161F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155D34C10_2_0155D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162A35210_2_0162A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162132D10_2_0162132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016303E610_2_016303E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157E3F010_2_0157E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015B739A10_2_015B739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161027410_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B2C010_2_0158B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F02C010_2_015F02C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015752A010_2_015752A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162757110_2_01627571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157053510_2_01570535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160D5B010_2_0160D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0163059110_2_01630591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162244610_2_01622446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156146010_2_01561460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162F43F10_2_0162F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161E4F610_2_0161E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159475010_2_01594750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157077010_2_01570770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156C7C010_2_0156C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162F7B010_2_0162F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016216CC10_2_016216CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158C6E010_2_0158C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157995010_2_01579950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B95010_2_0158B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158696210_2_01586962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0163A9A610_2_0163A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015729A010_2_015729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157284010_2_01572840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157A84010_2_0157A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DD80010_2_015DD800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E8F010_2_0159E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015738E010_2_015738E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015568B810_2_015568B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162FB7610_2_0162FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162AB4010_2_0162AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015ADBF910_2_015ADBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E5BF010_2_015E5BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01626BD710_2_01626BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158FB8010_2_0158FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01627A4610_2_01627A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162FA4910_2_0162FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E3A6C10_2_015E3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161DAC610_2_0161DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160DAAC10_2_0160DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156EA8010_2_0156EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015B5AA010_2_015B5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01627D7310_2_01627D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01573D4010_2_01573D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01621D5A10_2_01621D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157AD0010_2_0157AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158FDC010_2_0158FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156ADE010_2_0156ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01588DBF10_2_01588DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01570C0010_2_01570C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E9C3210_2_015E9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162FCF210_2_0162FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01560CF210_2_01560CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610CB510_2_01610CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E4F4010_2_015E4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01590F3010_2_01590F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162FF0910_2_0162FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015B2F2810_2_015B2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01562FC810_2_01562FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157CFE010_2_0157CFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571F9210_2_01571F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162FFB110_2_0162FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015EEFA010_2_015EEFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01570E5910_2_01570E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162EE2610_2_0162EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162EEDB10_2_0162EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01582E9010_2_01582E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01579EB010_2_01579EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162CE9310_2_0162CE93
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_00E7DFC411_2_00E7DFC4
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_04F1806811_2_04F18068
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_04F1805811_2_04F18058
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_04F1004011_2_04F10040
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_04F1000611_2_04F10006
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D09E4811_2_06D09E48
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0A66811_2_06D0A668
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0BF7811_2_06D0BF78
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D01A4011_2_06D01A40
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0B06811_2_06D0B068
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0A65811_2_06D0A658
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D09E3811_2_06D09E38
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0CF8011_2_06D0CF80
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D08F5811_2_06D08F58
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0CF7011_2_06D0CF70
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D08F6811_2_06D08F68
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0BF2511_2_06D0BF25
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0DDD011_2_06D0DDD0
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0DDC211_2_06D0DDC2
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0E5F011_2_06D0E5F0
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0E5E111_2_06D0E5E1
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0E35211_2_06D0E352
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0E36011_2_06D0E360
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0B05811_2_06D0B058
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0E1F011_2_06D0E1F0
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0E1E011_2_06D0E1E0
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_070741E811_2_070741E8
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_07073B0811_2_07073B08
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707287011_2_07072870
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707B7B011_2_0707B7B0
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_070746B211_2_070746B2
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_070746B811_2_070746B8
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707B37811_2_0707B378
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707F1B811_2_0707F1B8
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_070741D911_2_070741D9
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707002711_2_07070027
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707004011_2_07070040
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_07072FA111_2_07072FA1
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_07072FB011_2_07072FB0
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_07072D4911_2_07072D49
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_07072D5811_2_07072D58
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_07072B0811_2_07072B08
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707BBE811_2_0707BBE8
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_07072AF811_2_07072AF8
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_07073AF811_2_07073AF8
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707D97011_2_0707D970
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707286011_2_07072860
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0137010019_2_01370100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013C600019_2_013C6000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_014002C019_2_014002C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138053519_2_01380535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138077019_2_01380770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013A475019_2_013A4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0137C7C019_2_0137C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0139C6E019_2_0139C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0139696219_2_01396962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013829A019_2_013829A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138284019_2_01382840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138A84019_2_0138A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013668B819_2_013668B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013B889019_2_013B8890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013AE8F019_2_013AE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0137EA8019_2_0137EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138AD0019_2_0138AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138ED7A19_2_0138ED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01398DBF19_2_01398DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0137ADE019_2_0137ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01388DC019_2_01388DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01380C0019_2_01380C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01370CF219_2_01370CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013A0F3019_2_013A0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013C2F2819_2_013C2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013F4F4019_2_013F4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013FEFA019_2_013FEFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01372FC819_2_01372FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01380E5919_2_01380E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01392E9019_2_01392E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0136F17219_2_0136F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013B516C19_2_013B516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138B1B019_2_0138B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0136D34C19_2_0136D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013833F319_2_013833F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013852A019_2_013852A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0139D2F019_2_0139D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0139B2C019_2_0139B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0137146019_2_01371460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138349719_2_01383497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013C74E019_2_013C74E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138B73019_2_0138B730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138995019_2_01389950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0139B95019_2_0139B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0138599019_2_01385990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013ED80019_2_013ED800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013838E019_2_013838E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0139FB8019_2_0139FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013BDBF919_2_013BDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013F5BF019_2_013F5BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013F3A6C19_2_013F3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01383D4019_2_01383D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0139FDC019_2_0139FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013F9C3219_2_013F9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01399C2019_2_01399C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01381F9219_2_01381F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01389EB019_2_01389EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015B7E54 appears 95 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015EF290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 013EEA12 appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015A5130 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 013C7E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015DEA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0155B970 appears 268 times
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic PE information: invalid certificate
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, 00000000.00000002.1472055043.000000000B280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment -Advice-6UoSFOxOntvuu94-PDF.exe
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, 00000000.00000000.1352572977.00000000003D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameejhQ.exe: vs Payment -Advice-6UoSFOxOntvuu94-PDF.exe
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, 00000000.00000002.1451966179.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment -Advice-6UoSFOxOntvuu94-PDF.exe
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, 00000000.00000002.1469970667.0000000006A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs Payment -Advice-6UoSFOxOntvuu94-PDF.exe
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, 00000000.00000002.1469970667.0000000006A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShe vs Payment -Advice-6UoSFOxOntvuu94-PDF.exe
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exe, 00000000.00000002.1465506278.00000000040C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment -Advice-6UoSFOxOntvuu94-PDF.exe
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeBinary or memory string: OriginalFilenameejhQ.exe: vs Payment -Advice-6UoSFOxOntvuu94-PDF.exe
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: XPNlWEtXW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, BRyuDGfTHWFhD3boU2.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, BRyuDGfTHWFhD3boU2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, BRyuDGfTHWFhD3boU2.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, BRyuDGfTHWFhD3boU2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, wnbDKx1mxwAa3aKqja.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, wnbDKx1mxwAa3aKqja.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, wnbDKx1mxwAa3aKqja.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, wnbDKx1mxwAa3aKqja.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, wnbDKx1mxwAa3aKqja.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, wnbDKx1mxwAa3aKqja.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/16@15/10
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeFile created: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMutant created: \Sessions\1\BaseNamedObjects\hINBZNaPbyTNwVLLZQFYwrS
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1072:120:WilError_03
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp48AD.tmpJump to behavior
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: MuiUnattend.exe, 00000015.00000003.1860093909.000000000092D000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000003.1857595131.0000000000923000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3830512834.0000000000950000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3830512834.0000000000923000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeVirustotal: Detection: 39%
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeReversingLabs: Detection: 67%
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeFile read: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe"
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XPNlWEtXW.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\XPNlWEtXW.exe C:\Users\user\AppData\Roaming\XPNlWEtXW.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1B.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeProcess created: C:\Windows\SysWOW64\MuiUnattend.exe "C:\Windows\SysWOW64\MuiUnattend.exe"
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XPNlWEtXW.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1B.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeProcess created: C:\Windows\SysWOW64\MuiUnattend.exe "C:\Windows\SysWOW64\MuiUnattend.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RegSvcs.pdb, source: MuiUnattend.exe, 00000015.00000002.3835391558.000000000340C000.00000004.10000000.00040000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3830512834.000000000089E000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1742620052.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.1967652972.0000000028F0C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.1677080018.0000000001530000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3833803663.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3833803663.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000003.1677763924.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000003.1675663097.0000000000A58000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.1677080018.0000000001530000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3833803663.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3833803663.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000003.1677763924.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, MuiUnattend.exe, 00000015.00000003.1675663097.0000000000A58000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: MUIUnattend.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.1676140408.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000003.1613850299.0000000001365000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000002.3831941678.0000000001378000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: MUIUnattend.pdb source: RegSvcs.exe, 0000000A.00000002.1676140408.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000003.1613850299.0000000001365000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000002.3831941678.0000000001378000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: MuiUnattend.exe, 00000015.00000002.3835391558.000000000340C000.00000004.10000000.00040000.00000000.sdmp, MuiUnattend.exe, 00000015.00000002.3830512834.000000000089E000.00000004.00000020.00020000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1742620052.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.1967652972.0000000028F0C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000000.1597869467.000000000013F000.00000002.00000001.01000000.0000000D.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1741837561.000000000013F000.00000002.00000001.01000000.0000000D.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.38aa528.0.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, wnbDKx1mxwAa3aKqja.cs.Net Code: wOrePVW5Vi System.Reflection.Assembly.Load(byte[])
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, wnbDKx1mxwAa3aKqja.cs.Net Code: wOrePVW5Vi System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06C5BA10 push cs; ret 0_2_06C5BA11
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB26E4 push es; iretd 0_2_06EB26EC
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB262D push es; ret 0_2_06EB2634
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB4710 push eax; ret 0_2_06EB4711
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB24E8 push es; ret 0_2_06EB24EC
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB24F8 push es; retf 0_2_06EB2510
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeCode function: 0_2_06EB3BA0 push es; ret 0_2_06EB3BA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00418860 push ss; iretd 10_2_0041885F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040D8BC push ebx; ret 10_2_0040D8BD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00418265 pushad ; retf 10_2_0041826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00403470 push eax; ret 10_2_00403472
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040CCC7 push es; iretd 10_2_0040CCC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040D496 push ecx; ret 10_2_0040D4A1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0041F503 push ds; retf 10_2_0041F518
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00411E5B push esi; retf 10_2_00411E6E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00411E63 push esi; retf 10_2_00411E6E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00401E68 push ebx; ret 10_2_00401E73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00401E34 push ebx; ret 10_2_00401E73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015609AD push ecx; mov dword ptr [esp], ecx10_2_015609B6
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_00E7E958 pushfd ; retf 11_2_00E7E959
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_00E7F042 pushad ; iretd 11_2_00E7F049
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0EC92 push edx; iretd 11_2_06D0EC93
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_06D0BA10 push cs; ret 11_2_06D0BA11
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0706270D push FFFFFF8Bh; iretd 11_2_0706270F
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_070745E0 push eax; ret 11_2_070745E1
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeCode function: 11_2_0707001E push ss; ret 11_2_07070026
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013BC54F push 8B013467h; ret 19_2_013BC554
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013BC54D pushfd ; ret 19_2_013BC54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013709AD push ecx; mov dword ptr [esp], ecx19_2_013709B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_013BC9D7 push edi; ret 19_2_013BC9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01341FEC push eax; iretd 19_2_01341FED
                Source: Payment -Advice-6UoSFOxOntvuu94-PDF.exeStatic PE information: section name: .text entropy: 7.7715142173455884
                Source: XPNlWEtXW.exe.0.drStatic PE information: section name: .text entropy: 7.7715142173455884
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, fafp1Ppef001VGPnoER.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nPuH8M2tDg', 'iWwH0DffUi', 'Sj0H3DP5n6', 'SKGHHHDBPY', 'oC0HSAAssJ', 'oD2H7GapvK', 'GqNHOw3M4t'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, QYYwW9vmUxD7cVbrVa.csHigh entropy of concatenated method names: 'fyY8h1jsfb', 'Ni98F0dapc', 'pgg8ikiPbs', 'QrC8B5OpTU', 'EJ48909YNY', 'wWm8kVMJon', 'ys58A2fvyR', 'IBP82jAD32', 'QhG8gyt2cp', 'lm58j4B6KD'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, U8SSXappyvocakDnXof.csHigh entropy of concatenated method names: 'UVR06sOPcv', 'hUE0ztrKwe', 'l6f3mCIktp', 'CyI3pscjOn', 'roS34lLZ2L', 'N4Y3DEoaSB', 'PYK3em0b98', 'o6I3Y8aiYp', 'rU83I9TxgV', 'nkk3nHf6Zx'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, I0U4kyUZ3ef82K7S2R.csHigh entropy of concatenated method names: 'aSXTfCgCoT', 'dwaTwHARFf', 'iryThq17A0', 'TydTFVGaBU', 'QUMTBgjaeo', 'ukET9VDXQO', 'ig0TA5OkJN', 'mTwT2t3bRB', 'FTuTj2kTTX', 'GxCTqDvURO'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, WI3I47un1tb4EwJn63.csHigh entropy of concatenated method names: 'POeCaBgCVB', 'MeZC65ENqg', 'HM5LmygGd8', 'opWLpy4Ep6', 'ipiCql92Sl', 'j6ICt9YQHe', 'vHhCUsMKwh', 'FvjCQS73rJ', 'DeHCWZ5HO2', 'PBhCoib1vS'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, i8dZx6Jpc8axwGkI2g.csHigh entropy of concatenated method names: 'kRZcbKfiOs', 'CiJcGfbVil', 'Qg5KidjaSO', 'PDQKBof7kN', 'IePK9atqBR', 'fKlKkwMEPi', 'khcKAWbl26', 'NCiK2d0Fpj', 'NNLKgCSp4o', 'GxgKjOYePv'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, qrYykn6jwiIjUdEC5O.csHigh entropy of concatenated method names: 'Ipp0KQx3AC', 'EXf0chEpvb', 'ruf0NhQ9jo', 't3D0MXUYCr', 'ty008ONka5', 'O6L01O2c95', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, v030ZJdd8Q2BTu1OIS.csHigh entropy of concatenated method names: 'GOF8lZ71A7', 'Ghi8CXEQhS', 'VZS88c86uV', 'cBA83VOlPY', 'Ipn8StTwtW', 'hkE8O4yQdP', 'Dispose', 'e5jLIukVJA', 'VkCLnhZQl9', 'AbqLKhBT44'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, Q6MD3sARYCxQ9BtxID.csHigh entropy of concatenated method names: 'wheMIgQZLu', 'AysMKSp8gy', 'Vy1MNsVpFH', 'U6nN61aGhq', 'YlNNzWfvoS', 'BnIMmjIKDM', 't34MpAEA7K', 'mq3M4bNuff', 'uaMMDZVcKB', 'VNEMevi2i8'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, Y6JZOA4QwOFMEoehR2.csHigh entropy of concatenated method names: 'XJ9PiTW0G', 'mCAEPfP9J', 'VCtrstFK0', 'mtpG2c5gF', 'XNBw93d4v', 'wdIJbyOOZ', 'pWf3nhqlGTE1tSsa7T', 'lyaMfPEM4lyIjBwtHV', 'vj6L9IdCd', 'vF109NPxW'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, hquahZzqHXgDJQGLpd.csHigh entropy of concatenated method names: 'mrx0rR0w90', 'DZT0fZUN9n', 'hLA0wkBbcB', 'rbR0hyfnpL', 'n610FLPIow', 'Bab0BDVssh', 'UGi09wx773', 'GTL0OeQIGb', 'QIP0Xu6NEX', 'mfQ0sVO8k6'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, DumgAWg5RBnEDZ18CW.csHigh entropy of concatenated method names: 'l1ZMXEtc1v', 'NoKMsefvJi', 'GP9MPaVJrt', 'yxeMELp42L', 'sbLMbnVM3Y', 'PEXMrLjbl1', 'aySMG9yuR0', 'CCTMf7Y2U1', 'YVxMwJPklq', 'tNjMJPLEJ3'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, Q7QciDxSmQv99W8uIR.csHigh entropy of concatenated method names: 'H1DCZIKlQx', 'eEyC5qZcKt', 'ToString', 'JgTCIqVFA8', 'KnoCnGsB7e', 'OhqCK324pq', 'dj4Cc1ldAX', 'YhPCNppEBb', 'H1CCMdZvAK', 'NrOC1FQadV'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, NEd624wS07G1XHk516.csHigh entropy of concatenated method names: 'tTdKEUwbra', 'D2TKr3JVWB', 'LGgKfWaIts', 'sLMKwKS7fG', 'MvQKl0ZBwe', 'vy8KVHGlNB', 'DBmKC2TBKq', 'mtGKLw41RZ', 'pVuK8EcXC1', 'QWwK0Lu34n'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, jVMuunhdBoy1RMKTek.csHigh entropy of concatenated method names: 'pFeNYpcBO4', 'cEqNnk4G15', 'pigNcLskkU', 'Sl7NMCZ29o', 'Py5N167tJ1', 'w2dcyGuMex', 'HwRcubOTsO', 'FbGcdLJmem', 'YV0ca4tApr', 'QQecvKoZoR'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, BRyuDGfTHWFhD3boU2.csHigh entropy of concatenated method names: 'svZnQsDpQK', 'qQZnWuFQsr', 'wYRnoPeB7D', 'OSqnxaabv1', 'BJfnyeKdvH', 'RucnukvuoA', 'PvSndkPoxV', 'gTMnaaSjlA', 'eAFnvRQFnU', 'nTon6UaVcH'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, UMuLrho0jTYw8UkmBP.csHigh entropy of concatenated method names: 'ToString', 'LrkVqMpkk3', 'yQMVFVykkB', 'UUKViCH4wT', 'NWaVBsnyOX', 'RneV9aYY7u', 'QWFVkAxjcq', 'oLiVA68bT3', 'xBbV2TRZgm', 'QD5VgtORAc'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, ETEEELe4LjIm8wvFuH.csHigh entropy of concatenated method names: 'HmbpMRyuDG', 'nHWp1FhD3b', 'cS0pZ7G1XH', 'K51p56N8dZ', 'CkIpl2gMVM', 'VunpVdBoy1', 'fAq94xS5LMWEYaFxcP', 'knmXtyZgYGGFublk29', 'PtSppwv4aG', 'hdKpDou0TD'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, S8Sdj9n3mgUorRpThB.csHigh entropy of concatenated method names: 'Dispose', 'R2BpvTu1OI', 'A3t4FrrwAs', 'pc4iYCyQs2', 'vDLp67mTgo', 'XLopz63a7h', 'ProcessDialogKey', 'GFU4mYYwW9', 'aUx4pD7cVb', 'BVa44CrYyk'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.4301958.3.raw.unpack, wnbDKx1mxwAa3aKqja.csHigh entropy of concatenated method names: 'PEbDY6Rem0', 'IYODIWwvaL', 'n3fDneYEOo', 'osoDKaw5kE', 'OVtDcD9t5a', 'endDNTohOt', 'dIlDMhyNWx', 'HNcD1SUuDX', 'XUHDRQnc0f', 'zKtDZoMiEM'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, fafp1Ppef001VGPnoER.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nPuH8M2tDg', 'iWwH0DffUi', 'Sj0H3DP5n6', 'SKGHHHDBPY', 'oC0HSAAssJ', 'oD2H7GapvK', 'GqNHOw3M4t'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, QYYwW9vmUxD7cVbrVa.csHigh entropy of concatenated method names: 'fyY8h1jsfb', 'Ni98F0dapc', 'pgg8ikiPbs', 'QrC8B5OpTU', 'EJ48909YNY', 'wWm8kVMJon', 'ys58A2fvyR', 'IBP82jAD32', 'QhG8gyt2cp', 'lm58j4B6KD'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, U8SSXappyvocakDnXof.csHigh entropy of concatenated method names: 'UVR06sOPcv', 'hUE0ztrKwe', 'l6f3mCIktp', 'CyI3pscjOn', 'roS34lLZ2L', 'N4Y3DEoaSB', 'PYK3em0b98', 'o6I3Y8aiYp', 'rU83I9TxgV', 'nkk3nHf6Zx'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, I0U4kyUZ3ef82K7S2R.csHigh entropy of concatenated method names: 'aSXTfCgCoT', 'dwaTwHARFf', 'iryThq17A0', 'TydTFVGaBU', 'QUMTBgjaeo', 'ukET9VDXQO', 'ig0TA5OkJN', 'mTwT2t3bRB', 'FTuTj2kTTX', 'GxCTqDvURO'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, WI3I47un1tb4EwJn63.csHigh entropy of concatenated method names: 'POeCaBgCVB', 'MeZC65ENqg', 'HM5LmygGd8', 'opWLpy4Ep6', 'ipiCql92Sl', 'j6ICt9YQHe', 'vHhCUsMKwh', 'FvjCQS73rJ', 'DeHCWZ5HO2', 'PBhCoib1vS'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, i8dZx6Jpc8axwGkI2g.csHigh entropy of concatenated method names: 'kRZcbKfiOs', 'CiJcGfbVil', 'Qg5KidjaSO', 'PDQKBof7kN', 'IePK9atqBR', 'fKlKkwMEPi', 'khcKAWbl26', 'NCiK2d0Fpj', 'NNLKgCSp4o', 'GxgKjOYePv'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, qrYykn6jwiIjUdEC5O.csHigh entropy of concatenated method names: 'Ipp0KQx3AC', 'EXf0chEpvb', 'ruf0NhQ9jo', 't3D0MXUYCr', 'ty008ONka5', 'O6L01O2c95', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, v030ZJdd8Q2BTu1OIS.csHigh entropy of concatenated method names: 'GOF8lZ71A7', 'Ghi8CXEQhS', 'VZS88c86uV', 'cBA83VOlPY', 'Ipn8StTwtW', 'hkE8O4yQdP', 'Dispose', 'e5jLIukVJA', 'VkCLnhZQl9', 'AbqLKhBT44'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, Q6MD3sARYCxQ9BtxID.csHigh entropy of concatenated method names: 'wheMIgQZLu', 'AysMKSp8gy', 'Vy1MNsVpFH', 'U6nN61aGhq', 'YlNNzWfvoS', 'BnIMmjIKDM', 't34MpAEA7K', 'mq3M4bNuff', 'uaMMDZVcKB', 'VNEMevi2i8'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, Y6JZOA4QwOFMEoehR2.csHigh entropy of concatenated method names: 'XJ9PiTW0G', 'mCAEPfP9J', 'VCtrstFK0', 'mtpG2c5gF', 'XNBw93d4v', 'wdIJbyOOZ', 'pWf3nhqlGTE1tSsa7T', 'lyaMfPEM4lyIjBwtHV', 'vj6L9IdCd', 'vF109NPxW'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, hquahZzqHXgDJQGLpd.csHigh entropy of concatenated method names: 'mrx0rR0w90', 'DZT0fZUN9n', 'hLA0wkBbcB', 'rbR0hyfnpL', 'n610FLPIow', 'Bab0BDVssh', 'UGi09wx773', 'GTL0OeQIGb', 'QIP0Xu6NEX', 'mfQ0sVO8k6'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, DumgAWg5RBnEDZ18CW.csHigh entropy of concatenated method names: 'l1ZMXEtc1v', 'NoKMsefvJi', 'GP9MPaVJrt', 'yxeMELp42L', 'sbLMbnVM3Y', 'PEXMrLjbl1', 'aySMG9yuR0', 'CCTMf7Y2U1', 'YVxMwJPklq', 'tNjMJPLEJ3'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, Q7QciDxSmQv99W8uIR.csHigh entropy of concatenated method names: 'H1DCZIKlQx', 'eEyC5qZcKt', 'ToString', 'JgTCIqVFA8', 'KnoCnGsB7e', 'OhqCK324pq', 'dj4Cc1ldAX', 'YhPCNppEBb', 'H1CCMdZvAK', 'NrOC1FQadV'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, NEd624wS07G1XHk516.csHigh entropy of concatenated method names: 'tTdKEUwbra', 'D2TKr3JVWB', 'LGgKfWaIts', 'sLMKwKS7fG', 'MvQKl0ZBwe', 'vy8KVHGlNB', 'DBmKC2TBKq', 'mtGKLw41RZ', 'pVuK8EcXC1', 'QWwK0Lu34n'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, jVMuunhdBoy1RMKTek.csHigh entropy of concatenated method names: 'pFeNYpcBO4', 'cEqNnk4G15', 'pigNcLskkU', 'Sl7NMCZ29o', 'Py5N167tJ1', 'w2dcyGuMex', 'HwRcubOTsO', 'FbGcdLJmem', 'YV0ca4tApr', 'QQecvKoZoR'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, BRyuDGfTHWFhD3boU2.csHigh entropy of concatenated method names: 'svZnQsDpQK', 'qQZnWuFQsr', 'wYRnoPeB7D', 'OSqnxaabv1', 'BJfnyeKdvH', 'RucnukvuoA', 'PvSndkPoxV', 'gTMnaaSjlA', 'eAFnvRQFnU', 'nTon6UaVcH'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, UMuLrho0jTYw8UkmBP.csHigh entropy of concatenated method names: 'ToString', 'LrkVqMpkk3', 'yQMVFVykkB', 'UUKViCH4wT', 'NWaVBsnyOX', 'RneV9aYY7u', 'QWFVkAxjcq', 'oLiVA68bT3', 'xBbV2TRZgm', 'QD5VgtORAc'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, ETEEELe4LjIm8wvFuH.csHigh entropy of concatenated method names: 'HmbpMRyuDG', 'nHWp1FhD3b', 'cS0pZ7G1XH', 'K51p56N8dZ', 'CkIpl2gMVM', 'VunpVdBoy1', 'fAq94xS5LMWEYaFxcP', 'knmXtyZgYGGFublk29', 'PtSppwv4aG', 'hdKpDou0TD'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, S8Sdj9n3mgUorRpThB.csHigh entropy of concatenated method names: 'Dispose', 'R2BpvTu1OI', 'A3t4FrrwAs', 'pc4iYCyQs2', 'vDLp67mTgo', 'XLopz63a7h', 'ProcessDialogKey', 'GFU4mYYwW9', 'aUx4pD7cVb', 'BVa44CrYyk'
                Source: 0.2.Payment -Advice-6UoSFOxOntvuu94-PDF.exe.b280000.5.raw.unpack, wnbDKx1mxwAa3aKqja.csHigh entropy of concatenated method names: 'PEbDY6Rem0', 'IYODIWwvaL', 'n3fDneYEOo', 'osoDKaw5kE', 'OVtDcD9t5a', 'endDNTohOt', 'dIlDMhyNWx', 'HNcD1SUuDX', 'XUHDRQnc0f', 'zKtDZoMiEM'
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeFile created: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: XPNlWEtXW.exe PID: 2420, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FF90818D324
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FF90818D7E4
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FF90818D944
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FF90818D504
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FF90818D544
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FF90818D1E4
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FF908190154
                Source: C:\Windows\SysWOW64\MuiUnattend.exeAPI/Special instruction interceptor: Address: 7FF90818DA44
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: AA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: 8620000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: 9620000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: 9810000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: A810000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: B310000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: C310000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: D310000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: E70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: 2950000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: 4950000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: 8320000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: 9320000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: 9500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: A500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: AFD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: BFD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DD1C0 rdtsc 10_2_015DD1C0
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1869Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3224Jump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeWindow / User API: threadDelayed 2389
                Source: C:\Windows\SysWOW64\MuiUnattend.exeWindow / User API: threadDelayed 7584
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.8 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.3 %
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe TID: 7672Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep count: 1869 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7376Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exe TID: 6104Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exe TID: 2552Thread sleep count: 2389 > 30
                Source: C:\Windows\SysWOW64\MuiUnattend.exe TID: 2552Thread sleep time: -4778000s >= -30000s
                Source: C:\Windows\SysWOW64\MuiUnattend.exe TID: 2552Thread sleep count: 7584 > 30
                Source: C:\Windows\SysWOW64\MuiUnattend.exe TID: 2552Thread sleep time: -15168000s >= -30000s
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exe TID: 2016Thread sleep time: -65000s >= -30000s
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exe TID: 2016Thread sleep count: 38 > 30
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exe TID: 2016Thread sleep time: -38000s >= -30000s
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exe TID: 2016Thread sleep time: -43500s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\MuiUnattend.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\MuiUnattend.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 3-1tw71.21.drBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: 3-1tw71.21.drBinary or memory string: global block list test formVMware20,11696497155
                Source: 3-1tw71.21.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: 3-1tw71.21.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: 3-1tw71.21.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: 3-1tw71.21.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: 3-1tw71.21.drBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: 3-1tw71.21.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: XPNlWEtXW.exe, 0000000B.00000002.1597816469.0000000000B71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:c
                Source: 3-1tw71.21.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: MuiUnattend.exe, 00000015.00000002.3830512834.000000000089E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.1969115287.0000022968DAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 3-1tw71.21.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: 3-1tw71.21.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: 3-1tw71.21.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: 3-1tw71.21.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: 3-1tw71.21.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: 3-1tw71.21.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: 3-1tw71.21.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: 3-1tw71.21.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: 3-1tw71.21.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: 3-1tw71.21.drBinary or memory string: AMC password management pageVMware20,11696497155
                Source: pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000002.3832085549.0000000000AC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
                Source: 3-1tw71.21.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: 3-1tw71.21.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: 3-1tw71.21.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: 3-1tw71.21.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: 3-1tw71.21.drBinary or memory string: discord.comVMware20,11696497155f
                Source: 3-1tw71.21.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: 3-1tw71.21.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: 3-1tw71.21.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: 3-1tw71.21.drBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: 3-1tw71.21.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: 3-1tw71.21.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: 3-1tw71.21.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DD1C0 rdtsc 10_2_015DD1C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00417BC3 LdrLoadDll,10_2_00417BC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01566154 mov eax, dword ptr fs:[00000030h]10_2_01566154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01566154 mov eax, dword ptr fs:[00000030h]10_2_01566154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155C156 mov eax, dword ptr fs:[00000030h]10_2_0155C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01567152 mov eax, dword ptr fs:[00000030h]10_2_01567152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F8158 mov eax, dword ptr fs:[00000030h]10_2_015F8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F4144 mov eax, dword ptr fs:[00000030h]10_2_015F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F4144 mov eax, dword ptr fs:[00000030h]10_2_015F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F4144 mov ecx, dword ptr fs:[00000030h]10_2_015F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F4144 mov eax, dword ptr fs:[00000030h]10_2_015F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F4144 mov eax, dword ptr fs:[00000030h]10_2_015F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01559148 mov eax, dword ptr fs:[00000030h]10_2_01559148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01559148 mov eax, dword ptr fs:[00000030h]10_2_01559148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01559148 mov eax, dword ptr fs:[00000030h]10_2_01559148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01559148 mov eax, dword ptr fs:[00000030h]10_2_01559148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F9179 mov eax, dword ptr fs:[00000030h]10_2_015F9179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155F172 mov eax, dword ptr fs:[00000030h]10_2_0155F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01635152 mov eax, dword ptr fs:[00000030h]10_2_01635152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155B136 mov eax, dword ptr fs:[00000030h]10_2_0155B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155B136 mov eax, dword ptr fs:[00000030h]10_2_0155B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155B136 mov eax, dword ptr fs:[00000030h]10_2_0155B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155B136 mov eax, dword ptr fs:[00000030h]10_2_0155B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01561131 mov eax, dword ptr fs:[00000030h]10_2_01561131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01561131 mov eax, dword ptr fs:[00000030h]10_2_01561131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01620115 mov eax, dword ptr fs:[00000030h]10_2_01620115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160A118 mov ecx, dword ptr fs:[00000030h]10_2_0160A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160A118 mov eax, dword ptr fs:[00000030h]10_2_0160A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160A118 mov eax, dword ptr fs:[00000030h]10_2_0160A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160A118 mov eax, dword ptr fs:[00000030h]10_2_0160A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01590124 mov eax, dword ptr fs:[00000030h]10_2_01590124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016361E5 mov eax, dword ptr fs:[00000030h]10_2_016361E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159D1D0 mov eax, dword ptr fs:[00000030h]10_2_0159D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159D1D0 mov ecx, dword ptr fs:[00000030h]10_2_0159D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DE1D0 mov eax, dword ptr fs:[00000030h]10_2_015DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DE1D0 mov eax, dword ptr fs:[00000030h]10_2_015DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DE1D0 mov ecx, dword ptr fs:[00000030h]10_2_015DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DE1D0 mov eax, dword ptr fs:[00000030h]10_2_015DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DE1D0 mov eax, dword ptr fs:[00000030h]10_2_015DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016071F9 mov esi, dword ptr fs:[00000030h]10_2_016071F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016261C3 mov eax, dword ptr fs:[00000030h]10_2_016261C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016261C3 mov eax, dword ptr fs:[00000030h]10_2_016261C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015901F8 mov eax, dword ptr fs:[00000030h]10_2_015901F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016351CB mov eax, dword ptr fs:[00000030h]10_2_016351CB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015851EF mov eax, dword ptr fs:[00000030h]10_2_015851EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015651ED mov eax, dword ptr fs:[00000030h]10_2_015651ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E019F mov eax, dword ptr fs:[00000030h]10_2_015E019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E019F mov eax, dword ptr fs:[00000030h]10_2_015E019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E019F mov eax, dword ptr fs:[00000030h]10_2_015E019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E019F mov eax, dword ptr fs:[00000030h]10_2_015E019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155A197 mov eax, dword ptr fs:[00000030h]10_2_0155A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155A197 mov eax, dword ptr fs:[00000030h]10_2_0155A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155A197 mov eax, dword ptr fs:[00000030h]10_2_0155A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016111A4 mov eax, dword ptr fs:[00000030h]10_2_016111A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016111A4 mov eax, dword ptr fs:[00000030h]10_2_016111A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016111A4 mov eax, dword ptr fs:[00000030h]10_2_016111A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016111A4 mov eax, dword ptr fs:[00000030h]10_2_016111A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015B7190 mov eax, dword ptr fs:[00000030h]10_2_015B7190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A0185 mov eax, dword ptr fs:[00000030h]10_2_015A0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157B1B0 mov eax, dword ptr fs:[00000030h]10_2_0157B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161C188 mov eax, dword ptr fs:[00000030h]10_2_0161C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161C188 mov eax, dword ptr fs:[00000030h]10_2_0161C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01635060 mov eax, dword ptr fs:[00000030h]10_2_01635060
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01562050 mov eax, dword ptr fs:[00000030h]10_2_01562050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B052 mov eax, dword ptr fs:[00000030h]10_2_0158B052
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E6050 mov eax, dword ptr fs:[00000030h]10_2_015E6050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov ecx, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01571070 mov eax, dword ptr fs:[00000030h]10_2_01571070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158C073 mov eax, dword ptr fs:[00000030h]10_2_0158C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DD070 mov ecx, dword ptr fs:[00000030h]10_2_015DD070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E106E mov eax, dword ptr fs:[00000030h]10_2_015E106E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160705E mov ebx, dword ptr fs:[00000030h]10_2_0160705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160705E mov eax, dword ptr fs:[00000030h]10_2_0160705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157E016 mov eax, dword ptr fs:[00000030h]10_2_0157E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157E016 mov eax, dword ptr fs:[00000030h]10_2_0157E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157E016 mov eax, dword ptr fs:[00000030h]10_2_0157E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157E016 mov eax, dword ptr fs:[00000030h]10_2_0157E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162903E mov eax, dword ptr fs:[00000030h]10_2_0162903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162903E mov eax, dword ptr fs:[00000030h]10_2_0162903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162903E mov eax, dword ptr fs:[00000030h]10_2_0162903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162903E mov eax, dword ptr fs:[00000030h]10_2_0162903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E4000 mov ecx, dword ptr fs:[00000030h]10_2_015E4000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155A020 mov eax, dword ptr fs:[00000030h]10_2_0155A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155C020 mov eax, dword ptr fs:[00000030h]10_2_0155C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E20DE mov eax, dword ptr fs:[00000030h]10_2_015E20DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015890DB mov eax, dword ptr fs:[00000030h]10_2_015890DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov ecx, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov ecx, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov ecx, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov ecx, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015770C0 mov eax, dword ptr fs:[00000030h]10_2_015770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DD0C0 mov eax, dword ptr fs:[00000030h]10_2_015DD0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DD0C0 mov eax, dword ptr fs:[00000030h]10_2_015DD0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155C0F0 mov eax, dword ptr fs:[00000030h]10_2_0155C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A20F0 mov ecx, dword ptr fs:[00000030h]10_2_015A20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155A0E3 mov ecx, dword ptr fs:[00000030h]10_2_0155A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016350D9 mov eax, dword ptr fs:[00000030h]10_2_016350D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015850E4 mov eax, dword ptr fs:[00000030h]10_2_015850E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015850E4 mov ecx, dword ptr fs:[00000030h]10_2_015850E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E60E0 mov eax, dword ptr fs:[00000030h]10_2_015E60E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015680E9 mov eax, dword ptr fs:[00000030h]10_2_015680E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01565096 mov eax, dword ptr fs:[00000030h]10_2_01565096
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159909C mov eax, dword ptr fs:[00000030h]10_2_0159909C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158D090 mov eax, dword ptr fs:[00000030h]10_2_0158D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158D090 mov eax, dword ptr fs:[00000030h]10_2_0158D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155D08D mov eax, dword ptr fs:[00000030h]10_2_0155D08D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016260B8 mov eax, dword ptr fs:[00000030h]10_2_016260B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016260B8 mov ecx, dword ptr fs:[00000030h]10_2_016260B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156208A mov eax, dword ptr fs:[00000030h]10_2_0156208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015ED080 mov eax, dword ptr fs:[00000030h]10_2_015ED080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015ED080 mov eax, dword ptr fs:[00000030h]10_2_015ED080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F80A8 mov eax, dword ptr fs:[00000030h]10_2_015F80A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E035C mov eax, dword ptr fs:[00000030h]10_2_015E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E035C mov eax, dword ptr fs:[00000030h]10_2_015E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E035C mov eax, dword ptr fs:[00000030h]10_2_015E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E035C mov ecx, dword ptr fs:[00000030h]10_2_015E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E035C mov eax, dword ptr fs:[00000030h]10_2_015E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E035C mov eax, dword ptr fs:[00000030h]10_2_015E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01559353 mov eax, dword ptr fs:[00000030h]10_2_01559353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01559353 mov eax, dword ptr fs:[00000030h]10_2_01559353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161F367 mov eax, dword ptr fs:[00000030h]10_2_0161F367
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E2349 mov eax, dword ptr fs:[00000030h]10_2_015E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155D34C mov eax, dword ptr fs:[00000030h]10_2_0155D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155D34C mov eax, dword ptr fs:[00000030h]10_2_0155D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160437C mov eax, dword ptr fs:[00000030h]10_2_0160437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01635341 mov eax, dword ptr fs:[00000030h]10_2_01635341
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01567370 mov eax, dword ptr fs:[00000030h]10_2_01567370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01567370 mov eax, dword ptr fs:[00000030h]10_2_01567370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01567370 mov eax, dword ptr fs:[00000030h]10_2_01567370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162A352 mov eax, dword ptr fs:[00000030h]10_2_0162A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155C310 mov ecx, dword ptr fs:[00000030h]10_2_0155C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01580310 mov ecx, dword ptr fs:[00000030h]10_2_01580310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162132D mov eax, dword ptr fs:[00000030h]10_2_0162132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162132D mov eax, dword ptr fs:[00000030h]10_2_0162132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159A30B mov eax, dword ptr fs:[00000030h]10_2_0159A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159A30B mov eax, dword ptr fs:[00000030h]10_2_0159A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159A30B mov eax, dword ptr fs:[00000030h]10_2_0159A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E930B mov eax, dword ptr fs:[00000030h]10_2_015E930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E930B mov eax, dword ptr fs:[00000030h]10_2_015E930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E930B mov eax, dword ptr fs:[00000030h]10_2_015E930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01557330 mov eax, dword ptr fs:[00000030h]10_2_01557330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F32A mov eax, dword ptr fs:[00000030h]10_2_0158F32A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161F3E6 mov eax, dword ptr fs:[00000030h]10_2_0161F3E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A3C0 mov eax, dword ptr fs:[00000030h]10_2_0156A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A3C0 mov eax, dword ptr fs:[00000030h]10_2_0156A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A3C0 mov eax, dword ptr fs:[00000030h]10_2_0156A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A3C0 mov eax, dword ptr fs:[00000030h]10_2_0156A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A3C0 mov eax, dword ptr fs:[00000030h]10_2_0156A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A3C0 mov eax, dword ptr fs:[00000030h]10_2_0156A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015683C0 mov eax, dword ptr fs:[00000030h]10_2_015683C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015683C0 mov eax, dword ptr fs:[00000030h]10_2_015683C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015683C0 mov eax, dword ptr fs:[00000030h]10_2_015683C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015683C0 mov eax, dword ptr fs:[00000030h]10_2_015683C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E63C0 mov eax, dword ptr fs:[00000030h]10_2_015E63C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016353FC mov eax, dword ptr fs:[00000030h]10_2_016353FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015963FF mov eax, dword ptr fs:[00000030h]10_2_015963FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157E3F0 mov eax, dword ptr fs:[00000030h]10_2_0157E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157E3F0 mov eax, dword ptr fs:[00000030h]10_2_0157E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157E3F0 mov eax, dword ptr fs:[00000030h]10_2_0157E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161C3CD mov eax, dword ptr fs:[00000030h]10_2_0161C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161B3D0 mov ecx, dword ptr fs:[00000030h]10_2_0161B3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015703E9 mov eax, dword ptr fs:[00000030h]10_2_015703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015703E9 mov eax, dword ptr fs:[00000030h]10_2_015703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015703E9 mov eax, dword ptr fs:[00000030h]10_2_015703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015703E9 mov eax, dword ptr fs:[00000030h]10_2_015703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015703E9 mov eax, dword ptr fs:[00000030h]10_2_015703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015703E9 mov eax, dword ptr fs:[00000030h]10_2_015703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015703E9 mov eax, dword ptr fs:[00000030h]10_2_015703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015703E9 mov eax, dword ptr fs:[00000030h]10_2_015703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015B739A mov eax, dword ptr fs:[00000030h]10_2_015B739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015B739A mov eax, dword ptr fs:[00000030h]10_2_015B739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01558397 mov eax, dword ptr fs:[00000030h]10_2_01558397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01558397 mov eax, dword ptr fs:[00000030h]10_2_01558397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01558397 mov eax, dword ptr fs:[00000030h]10_2_01558397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158438F mov eax, dword ptr fs:[00000030h]10_2_0158438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158438F mov eax, dword ptr fs:[00000030h]10_2_0158438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155E388 mov eax, dword ptr fs:[00000030h]10_2_0155E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155E388 mov eax, dword ptr fs:[00000030h]10_2_0155E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155E388 mov eax, dword ptr fs:[00000030h]10_2_0155E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015933A0 mov eax, dword ptr fs:[00000030h]10_2_015933A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015933A0 mov eax, dword ptr fs:[00000030h]10_2_015933A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015833A5 mov eax, dword ptr fs:[00000030h]10_2_015833A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0163539D mov eax, dword ptr fs:[00000030h]10_2_0163539D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155A250 mov eax, dword ptr fs:[00000030h]10_2_0155A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162D26B mov eax, dword ptr fs:[00000030h]10_2_0162D26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0162D26B mov eax, dword ptr fs:[00000030h]10_2_0162D26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015ED250 mov ecx, dword ptr fs:[00000030h]10_2_015ED250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01566259 mov eax, dword ptr fs:[00000030h]10_2_01566259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159724D mov eax, dword ptr fs:[00000030h]10_2_0159724D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01559240 mov eax, dword ptr fs:[00000030h]10_2_01559240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01559240 mov eax, dword ptr fs:[00000030h]10_2_01559240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01610274 mov eax, dword ptr fs:[00000030h]10_2_01610274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E8243 mov eax, dword ptr fs:[00000030h]10_2_015E8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E8243 mov ecx, dword ptr fs:[00000030h]10_2_015E8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A1270 mov eax, dword ptr fs:[00000030h]10_2_015A1270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015A1270 mov eax, dword ptr fs:[00000030h]10_2_015A1270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01589274 mov eax, dword ptr fs:[00000030h]10_2_01589274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01564260 mov eax, dword ptr fs:[00000030h]10_2_01564260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01564260 mov eax, dword ptr fs:[00000030h]10_2_01564260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01564260 mov eax, dword ptr fs:[00000030h]10_2_01564260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161B256 mov eax, dword ptr fs:[00000030h]10_2_0161B256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161B256 mov eax, dword ptr fs:[00000030h]10_2_0161B256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155826B mov eax, dword ptr fs:[00000030h]10_2_0155826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01635227 mov eax, dword ptr fs:[00000030h]10_2_01635227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01597208 mov eax, dword ptr fs:[00000030h]10_2_01597208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01597208 mov eax, dword ptr fs:[00000030h]10_2_01597208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155823B mov eax, dword ptr fs:[00000030h]10_2_0155823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016352E2 mov eax, dword ptr fs:[00000030h]10_2_016352E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155B2D3 mov eax, dword ptr fs:[00000030h]10_2_0155B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155B2D3 mov eax, dword ptr fs:[00000030h]10_2_0155B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155B2D3 mov eax, dword ptr fs:[00000030h]10_2_0155B2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F2D0 mov eax, dword ptr fs:[00000030h]10_2_0158F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F2D0 mov eax, dword ptr fs:[00000030h]10_2_0158F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016112ED mov eax, dword ptr fs:[00000030h]10_2_016112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015692C5 mov eax, dword ptr fs:[00000030h]10_2_015692C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015692C5 mov eax, dword ptr fs:[00000030h]10_2_015692C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A2C3 mov eax, dword ptr fs:[00000030h]10_2_0156A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A2C3 mov eax, dword ptr fs:[00000030h]10_2_0156A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A2C3 mov eax, dword ptr fs:[00000030h]10_2_0156A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A2C3 mov eax, dword ptr fs:[00000030h]10_2_0156A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156A2C3 mov eax, dword ptr fs:[00000030h]10_2_0156A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B2C0 mov eax, dword ptr fs:[00000030h]10_2_0158B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B2C0 mov eax, dword ptr fs:[00000030h]10_2_0158B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B2C0 mov eax, dword ptr fs:[00000030h]10_2_0158B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B2C0 mov eax, dword ptr fs:[00000030h]10_2_0158B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B2C0 mov eax, dword ptr fs:[00000030h]10_2_0158B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B2C0 mov eax, dword ptr fs:[00000030h]10_2_0158B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158B2C0 mov eax, dword ptr fs:[00000030h]10_2_0158B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161F2F8 mov eax, dword ptr fs:[00000030h]10_2_0161F2F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015592FF mov eax, dword ptr fs:[00000030h]10_2_015592FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015702E1 mov eax, dword ptr fs:[00000030h]10_2_015702E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015702E1 mov eax, dword ptr fs:[00000030h]10_2_015702E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015702E1 mov eax, dword ptr fs:[00000030h]10_2_015702E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016292A6 mov eax, dword ptr fs:[00000030h]10_2_016292A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016292A6 mov eax, dword ptr fs:[00000030h]10_2_016292A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016292A6 mov eax, dword ptr fs:[00000030h]10_2_016292A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016292A6 mov eax, dword ptr fs:[00000030h]10_2_016292A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159329E mov eax, dword ptr fs:[00000030h]10_2_0159329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159329E mov eax, dword ptr fs:[00000030h]10_2_0159329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E0283 mov eax, dword ptr fs:[00000030h]10_2_015E0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E0283 mov eax, dword ptr fs:[00000030h]10_2_015E0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E0283 mov eax, dword ptr fs:[00000030h]10_2_015E0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E284 mov eax, dword ptr fs:[00000030h]10_2_0159E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E284 mov eax, dword ptr fs:[00000030h]10_2_0159E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01635283 mov eax, dword ptr fs:[00000030h]10_2_01635283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E92BC mov eax, dword ptr fs:[00000030h]10_2_015E92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E92BC mov eax, dword ptr fs:[00000030h]10_2_015E92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E92BC mov ecx, dword ptr fs:[00000030h]10_2_015E92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E92BC mov ecx, dword ptr fs:[00000030h]10_2_015E92BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015702A0 mov eax, dword ptr fs:[00000030h]10_2_015702A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015702A0 mov eax, dword ptr fs:[00000030h]10_2_015702A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015752A0 mov eax, dword ptr fs:[00000030h]10_2_015752A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015752A0 mov eax, dword ptr fs:[00000030h]10_2_015752A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015752A0 mov eax, dword ptr fs:[00000030h]10_2_015752A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015752A0 mov eax, dword ptr fs:[00000030h]10_2_015752A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F62A0 mov eax, dword ptr fs:[00000030h]10_2_015F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F62A0 mov ecx, dword ptr fs:[00000030h]10_2_015F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F62A0 mov eax, dword ptr fs:[00000030h]10_2_015F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F62A0 mov eax, dword ptr fs:[00000030h]10_2_015F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F62A0 mov eax, dword ptr fs:[00000030h]10_2_015F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F62A0 mov eax, dword ptr fs:[00000030h]10_2_015F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F72A0 mov eax, dword ptr fs:[00000030h]10_2_015F72A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F72A0 mov eax, dword ptr fs:[00000030h]10_2_015F72A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01568550 mov eax, dword ptr fs:[00000030h]10_2_01568550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01568550 mov eax, dword ptr fs:[00000030h]10_2_01568550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159B570 mov eax, dword ptr fs:[00000030h]10_2_0159B570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159B570 mov eax, dword ptr fs:[00000030h]10_2_0159B570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159656A mov eax, dword ptr fs:[00000030h]10_2_0159656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159656A mov eax, dword ptr fs:[00000030h]10_2_0159656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159656A mov eax, dword ptr fs:[00000030h]10_2_0159656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155B562 mov eax, dword ptr fs:[00000030h]10_2_0155B562
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160F525 mov eax, dword ptr fs:[00000030h]10_2_0160F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160F525 mov eax, dword ptr fs:[00000030h]10_2_0160F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160F525 mov eax, dword ptr fs:[00000030h]10_2_0160F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160F525 mov eax, dword ptr fs:[00000030h]10_2_0160F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160F525 mov eax, dword ptr fs:[00000030h]10_2_0160F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160F525 mov eax, dword ptr fs:[00000030h]10_2_0160F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0160F525 mov eax, dword ptr fs:[00000030h]10_2_0160F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161B52F mov eax, dword ptr fs:[00000030h]10_2_0161B52F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01635537 mov eax, dword ptr fs:[00000030h]10_2_01635537
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01597505 mov eax, dword ptr fs:[00000030h]10_2_01597505
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01597505 mov ecx, dword ptr fs:[00000030h]10_2_01597505
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01570535 mov eax, dword ptr fs:[00000030h]10_2_01570535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01570535 mov eax, dword ptr fs:[00000030h]10_2_01570535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01570535 mov eax, dword ptr fs:[00000030h]10_2_01570535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01570535 mov eax, dword ptr fs:[00000030h]10_2_01570535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01570535 mov eax, dword ptr fs:[00000030h]10_2_01570535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01570535 mov eax, dword ptr fs:[00000030h]10_2_01570535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156D534 mov eax, dword ptr fs:[00000030h]10_2_0156D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156D534 mov eax, dword ptr fs:[00000030h]10_2_0156D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156D534 mov eax, dword ptr fs:[00000030h]10_2_0156D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156D534 mov eax, dword ptr fs:[00000030h]10_2_0156D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156D534 mov eax, dword ptr fs:[00000030h]10_2_0156D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156D534 mov eax, dword ptr fs:[00000030h]10_2_0156D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01634500 mov eax, dword ptr fs:[00000030h]10_2_01634500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01634500 mov eax, dword ptr fs:[00000030h]10_2_01634500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01634500 mov eax, dword ptr fs:[00000030h]10_2_01634500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01634500 mov eax, dword ptr fs:[00000030h]10_2_01634500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01634500 mov eax, dword ptr fs:[00000030h]10_2_01634500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01634500 mov eax, dword ptr fs:[00000030h]10_2_01634500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01634500 mov eax, dword ptr fs:[00000030h]10_2_01634500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E53E mov eax, dword ptr fs:[00000030h]10_2_0158E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E53E mov eax, dword ptr fs:[00000030h]10_2_0158E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E53E mov eax, dword ptr fs:[00000030h]10_2_0158E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E53E mov eax, dword ptr fs:[00000030h]10_2_0158E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E53E mov eax, dword ptr fs:[00000030h]10_2_0158E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159D530 mov eax, dword ptr fs:[00000030h]10_2_0159D530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159D530 mov eax, dword ptr fs:[00000030h]10_2_0159D530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015895DA mov eax, dword ptr fs:[00000030h]10_2_015895DA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015665D0 mov eax, dword ptr fs:[00000030h]10_2_015665D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159A5D0 mov eax, dword ptr fs:[00000030h]10_2_0159A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159A5D0 mov eax, dword ptr fs:[00000030h]10_2_0159A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DD5D0 mov eax, dword ptr fs:[00000030h]10_2_015DD5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015DD5D0 mov ecx, dword ptr fs:[00000030h]10_2_015DD5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E5CF mov eax, dword ptr fs:[00000030h]10_2_0159E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E5CF mov eax, dword ptr fs:[00000030h]10_2_0159E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015955C0 mov eax, dword ptr fs:[00000030h]10_2_015955C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016355C9 mov eax, dword ptr fs:[00000030h]10_2_016355C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815F4 mov eax, dword ptr fs:[00000030h]10_2_015815F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815F4 mov eax, dword ptr fs:[00000030h]10_2_015815F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815F4 mov eax, dword ptr fs:[00000030h]10_2_015815F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815F4 mov eax, dword ptr fs:[00000030h]10_2_015815F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815F4 mov eax, dword ptr fs:[00000030h]10_2_015815F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815F4 mov eax, dword ptr fs:[00000030h]10_2_015815F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016335D7 mov eax, dword ptr fs:[00000030h]10_2_016335D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016335D7 mov eax, dword ptr fs:[00000030h]10_2_016335D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_016335D7 mov eax, dword ptr fs:[00000030h]10_2_016335D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159C5ED mov eax, dword ptr fs:[00000030h]10_2_0159C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159C5ED mov eax, dword ptr fs:[00000030h]10_2_0159C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015625E0 mov eax, dword ptr fs:[00000030h]10_2_015625E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E5E7 mov eax, dword ptr fs:[00000030h]10_2_0158E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E5E7 mov eax, dword ptr fs:[00000030h]10_2_0158E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E5E7 mov eax, dword ptr fs:[00000030h]10_2_0158E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E5E7 mov eax, dword ptr fs:[00000030h]10_2_0158E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E5E7 mov eax, dword ptr fs:[00000030h]10_2_0158E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E5E7 mov eax, dword ptr fs:[00000030h]10_2_0158E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E5E7 mov eax, dword ptr fs:[00000030h]10_2_0158E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158E5E7 mov eax, dword ptr fs:[00000030h]10_2_0158E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E59C mov eax, dword ptr fs:[00000030h]10_2_0159E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015EB594 mov eax, dword ptr fs:[00000030h]10_2_015EB594
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015EB594 mov eax, dword ptr fs:[00000030h]10_2_015EB594
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01594588 mov eax, dword ptr fs:[00000030h]10_2_01594588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01562582 mov eax, dword ptr fs:[00000030h]10_2_01562582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01562582 mov ecx, dword ptr fs:[00000030h]10_2_01562582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155758F mov eax, dword ptr fs:[00000030h]10_2_0155758F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155758F mov eax, dword ptr fs:[00000030h]10_2_0155758F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155758F mov eax, dword ptr fs:[00000030h]10_2_0155758F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161F5BE mov eax, dword ptr fs:[00000030h]10_2_0161F5BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F35BA mov eax, dword ptr fs:[00000030h]10_2_015F35BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F35BA mov eax, dword ptr fs:[00000030h]10_2_015F35BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F35BA mov eax, dword ptr fs:[00000030h]10_2_015F35BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015F35BA mov eax, dword ptr fs:[00000030h]10_2_015F35BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F5B0 mov eax, dword ptr fs:[00000030h]10_2_0158F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F5B0 mov eax, dword ptr fs:[00000030h]10_2_0158F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F5B0 mov eax, dword ptr fs:[00000030h]10_2_0158F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F5B0 mov eax, dword ptr fs:[00000030h]10_2_0158F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F5B0 mov eax, dword ptr fs:[00000030h]10_2_0158F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F5B0 mov eax, dword ptr fs:[00000030h]10_2_0158F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F5B0 mov eax, dword ptr fs:[00000030h]10_2_0158F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F5B0 mov eax, dword ptr fs:[00000030h]10_2_0158F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158F5B0 mov eax, dword ptr fs:[00000030h]10_2_0158F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015845B1 mov eax, dword ptr fs:[00000030h]10_2_015845B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015845B1 mov eax, dword ptr fs:[00000030h]10_2_015845B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815A9 mov eax, dword ptr fs:[00000030h]10_2_015815A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815A9 mov eax, dword ptr fs:[00000030h]10_2_015815A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815A9 mov eax, dword ptr fs:[00000030h]10_2_015815A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815A9 mov eax, dword ptr fs:[00000030h]10_2_015815A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015815A9 mov eax, dword ptr fs:[00000030h]10_2_015815A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E05A7 mov eax, dword ptr fs:[00000030h]10_2_015E05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E05A7 mov eax, dword ptr fs:[00000030h]10_2_015E05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E05A7 mov eax, dword ptr fs:[00000030h]10_2_015E05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158245A mov eax, dword ptr fs:[00000030h]10_2_0158245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0155645D mov eax, dword ptr fs:[00000030h]10_2_0155645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156B440 mov eax, dword ptr fs:[00000030h]10_2_0156B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156B440 mov eax, dword ptr fs:[00000030h]10_2_0156B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156B440 mov eax, dword ptr fs:[00000030h]10_2_0156B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156B440 mov eax, dword ptr fs:[00000030h]10_2_0156B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156B440 mov eax, dword ptr fs:[00000030h]10_2_0156B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0156B440 mov eax, dword ptr fs:[00000030h]10_2_0156B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E443 mov eax, dword ptr fs:[00000030h]10_2_0159E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E443 mov eax, dword ptr fs:[00000030h]10_2_0159E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E443 mov eax, dword ptr fs:[00000030h]10_2_0159E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E443 mov eax, dword ptr fs:[00000030h]10_2_0159E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E443 mov eax, dword ptr fs:[00000030h]10_2_0159E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E443 mov eax, dword ptr fs:[00000030h]10_2_0159E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E443 mov eax, dword ptr fs:[00000030h]10_2_0159E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0159E443 mov eax, dword ptr fs:[00000030h]10_2_0159E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0163547F mov eax, dword ptr fs:[00000030h]10_2_0163547F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158A470 mov eax, dword ptr fs:[00000030h]10_2_0158A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158A470 mov eax, dword ptr fs:[00000030h]10_2_0158A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158A470 mov eax, dword ptr fs:[00000030h]10_2_0158A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0161F453 mov eax, dword ptr fs:[00000030h]10_2_0161F453
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01561460 mov eax, dword ptr fs:[00000030h]10_2_01561460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01561460 mov eax, dword ptr fs:[00000030h]10_2_01561460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01561460 mov eax, dword ptr fs:[00000030h]10_2_01561460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01561460 mov eax, dword ptr fs:[00000030h]10_2_01561460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01561460 mov eax, dword ptr fs:[00000030h]10_2_01561460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157F460 mov eax, dword ptr fs:[00000030h]10_2_0157F460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157F460 mov eax, dword ptr fs:[00000030h]10_2_0157F460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157F460 mov eax, dword ptr fs:[00000030h]10_2_0157F460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157F460 mov eax, dword ptr fs:[00000030h]10_2_0157F460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157F460 mov eax, dword ptr fs:[00000030h]10_2_0157F460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0157F460 mov eax, dword ptr fs:[00000030h]10_2_0157F460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015EC460 mov ecx, dword ptr fs:[00000030h]10_2_015EC460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_015E7410 mov eax, dword ptr fs:[00000030h]10_2_015E7410
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0158340D mov eax, dword ptr fs:[00000030h]10_2_0158340D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01598402 mov eax, dword ptr fs:[00000030h]10_2_01598402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01598402 mov eax, dword ptr fs:[00000030h]10_2_01598402
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe"
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XPNlWEtXW.exe"
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XPNlWEtXW.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtProtectVirtualMemory: Direct from: 0x77542F9C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtSetInformationProcess: Direct from: 0x77542C5C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtOpenKeyEx: Direct from: 0x77542B9C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtTerminateThread: Direct from: 0x77537B2EJump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtCreateFile: Direct from: 0x77542FEC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtOpenFile: Direct from: 0x77542DCC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtQueryInformationToken: Direct from: 0x77542CAC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtTerminateThread: Direct from: 0x77542FCC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtDeviceIoControlFile: Direct from: 0x77542AEC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtAllocateVirtualMemory: Direct from: 0x77542BEC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtOpenSection: Direct from: 0x77542E0C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtSetInformationThread: Direct from: 0x775363F9
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtQuerySystemInformation: Direct from: 0x775448CC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtClose: Direct from: 0x77542B6C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtCreateKey: Direct from: 0x77542C6C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtSetInformationThread: Direct from: 0x77542B4C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtQueryAttributesFile: Direct from: 0x77542E6C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtAllocateVirtualMemory: Direct from: 0x77543C9C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtQueryInformationProcess: Direct from: 0x77542C26
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtDelayExecution: Direct from: 0x77542DDC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtAllocateVirtualMemory: Direct from: 0x77542BFC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtQuerySystemInformation: Direct from: 0x77542DFC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtResumeThread: Direct from: 0x775436AC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtNotifyChangeKey: Direct from: 0x77543C2C
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtCreateMutant: Direct from: 0x775435CC
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeNtMapViewOfSection: Direct from: 0x77542D1C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\MuiUnattend.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: NULL target: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exe protection: read write
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: NULL target: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\MuiUnattend.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\MuiUnattend.exeThread register set: target process: 2148
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\MuiUnattend.exeThread APC queued: target process: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exe
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C33008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 90F008Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XPNlWEtXW.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp48AD.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPNlWEtXW" /XML "C:\Users\user\AppData\Local\Temp\tmp7D1B.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\fNaOAzMdwwAjpsXsVXWbyMsDaAMkhksKxptYqCcGXDgTDyvxUqrBXGTIlXXFFeSvbAZvTWGdpO\pxnPNuGwnboybvBniSgRpp.exeProcess created: C:\Windows\SysWOW64\MuiUnattend.exe "C:\Windows\SysWOW64\MuiUnattend.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000000.1598297339.00000000019A1000.00000002.00000001.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000002.3832477209.00000000019A1000.00000002.00000001.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1742399463.0000000001101000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000000.1598297339.00000000019A1000.00000002.00000001.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000002.3832477209.00000000019A1000.00000002.00000001.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1742399463.0000000001101000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000000.1598297339.00000000019A1000.00000002.00000001.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000002.3832477209.00000000019A1000.00000002.00000001.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1742399463.0000000001101000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000000.1598297339.00000000019A1000.00000002.00000001.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000014.00000002.3832477209.00000000019A1000.00000002.00000001.00040000.00000000.sdmp, pxnPNuGwnboybvBniSgRpp.exe, 00000016.00000000.1742399463.0000000001101000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeQueries volume information: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeQueries volume information: C:\Users\user\AppData\Roaming\XPNlWEtXW.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\XPNlWEtXW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment -Advice-6UoSFOxOntvuu94-PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000015.00000002.3833175414.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1745344839.0000000006030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3832837621.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3829898714.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1675681898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3833562296.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1679343673.0000000001910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\MuiUnattend.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\MuiUnattend.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000015.00000002.3833175414.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1745344839.0000000006030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3832837621.00000000009D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.3829898714.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1675681898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.3833562296.0000000003090000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1679343673.0000000001910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612355 Sample: Payment -Advice-6UoSFOxOntv... Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 61 www.x3kwqc5tye4vl90y.top 2->61 63 www.wuyyv4tq.top 2->63 65 14 other IPs or domains 2->65 79 Suricata IDS alerts for network traffic 2->79 81 Antivirus detection for URL or domain 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 11 other signatures 2->85 10 Payment -Advice-6UoSFOxOntvuu94-PDF.exe 7 2->10         started        14 XPNlWEtXW.exe 5 2->14         started        signatures3 process4 file5 53 C:\Users\user\AppData\Roaming\XPNlWEtXW.exe, PE32 10->53 dropped 55 C:\Users\...\XPNlWEtXW.exe:Zone.Identifier, ASCII 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmp48AD.tmp, XML 10->57 dropped 59 Payment -Advice-6U...ntvuu94-PDF.exe.log, ASCII 10->59 dropped 87 Writes to foreign memory regions 10->87 89 Allocates memory in foreign processes 10->89 91 Adds a directory exclusion to Windows Defender 10->91 93 Injects a PE file into a foreign processes 10->93 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        29 2 other processes 10->29 95 Antivirus detection for dropped file 14->95 97 Multi AV Scanner detection for dropped file 14->97 99 Machine Learning detection for dropped file 14->99 23 schtasks.exe 1 14->23         started        25 RegSvcs.exe 14->25         started        27 RegSvcs.exe 14->27         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 16->73 31 pxnPNuGwnboybvBniSgRpp.exe 16->31 injected 75 Loading BitLocker PowerShell Module 19->75 34 WmiPrvSE.exe 19->34         started        36 conhost.exe 19->36         started        38 conhost.exe 21->38         started        40 conhost.exe 23->40         started        42 conhost.exe 29->42         started        process9 signatures10 109 Found direct / indirect Syscall (likely to bypass EDR) 31->109 44 MuiUnattend.exe 13 31->44         started        process11 signatures12 101 Tries to steal Mail credentials (via file / registry access) 44->101 103 Tries to harvest and steal browser information (history, passwords, etc) 44->103 105 Modifies the context of a thread in another process (thread injection) 44->105 107 3 other signatures 44->107 47 pxnPNuGwnboybvBniSgRpp.exe 44->47 injected 51 firefox.exe 44->51         started        process13 dnsIp14 67 www.visionaryb.site 67.223.117.189, 49986, 49987, 49988 VIMRO-AS15189US United States 47->67 69 nocoma.berlin 217.160.0.167, 49990, 49991, 49992 ONEANDONE-ASBrauerstrasse48DE Germany 47->69 71 8 other IPs or domains 47->71 77 Found direct / indirect Syscall (likely to bypass EDR) 47->77 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.