Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
URGENT REQUEST FOR QUOTATION.exe

Overview

General Information

Sample name:URGENT REQUEST FOR QUOTATION.exe
Analysis ID:1634099
MD5:0b04a2d692e0679243660865879628b2
SHA1:9c8f684547e4bab4458160fb963fe92dba5ec9ee
SHA256:3aa6510b5cd734042afde77fce92ce73aac28de0928a37b651a915df342b1c10
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • URGENT REQUEST FOR QUOTATION.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe" MD5: 0B04A2D692E0679243660865879628B2)
    • powershell.exe (PID: 6168 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 6260 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 6332 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • H792vWLf9Fx1Mp7TRJ.exe (PID: 5320 cmdline: "C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\DpJwx4KB9n.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • PresentationHost.exe (PID: 796 cmdline: "C:\Windows\SysWOW64\PresentationHost.exe" MD5: C6671F8B9F073785FD617661AD1F1C45)
          • H792vWLf9Fx1Mp7TRJ.exe (PID: 5040 cmdline: "C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\YbSQGnezJ0Cpzn.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 3700 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • svchost.exe (PID: 5768 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1373353315.0000000001050000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1372904719.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000F.00000002.3372784799.0000000005400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000D.00000002.3370961609.0000000002C90000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.1374655242.00000000014F0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", ParentImage: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe, ParentProcessId: 7092, ParentProcessName: URGENT REQUEST FOR QUOTATION.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", ProcessId: 6168, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", ParentImage: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe, ParentProcessId: 7092, ParentProcessName: URGENT REQUEST FOR QUOTATION.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", ProcessId: 6168, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", ParentImage: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe, ParentProcessId: 7092, ParentProcessName: URGENT REQUEST FOR QUOTATION.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe", ProcessId: 6168, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5768, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-10T19:39:39.541005+010020507451Malware Command and Control Activity Detected192.168.2.74969177.95.113.18280TCP
                2025-03-10T19:40:02.928610+010020507451Malware Command and Control Activity Detected192.168.2.74969551.222.255.20780TCP
                2025-03-10T19:40:16.404167+010020507451Malware Command and Control Activity Detected192.168.2.749699104.21.18.4580TCP
                2025-03-10T19:40:29.855458+010020507451Malware Command and Control Activity Detected192.168.2.749703203.161.42.7380TCP
                2025-03-10T19:40:44.112136+010020507451Malware Command and Control Activity Detected192.168.2.749707142.0.133.14980TCP
                2025-03-10T19:40:57.314441+010020507451Malware Command and Control Activity Detected192.168.2.74971213.248.169.4880TCP
                2025-03-10T19:41:10.480915+010020507451Malware Command and Control Activity Detected192.168.2.7497163.33.130.19080TCP
                2025-03-10T19:41:32.227363+010020507451Malware Command and Control Activity Detected192.168.2.749721199.59.243.22880TCP
                2025-03-10T19:41:45.614300+010020507451Malware Command and Control Activity Detected192.168.2.74972513.248.169.4880TCP
                2025-03-10T19:42:01.575179+010020507451Malware Command and Control Activity Detected192.168.2.74972943.251.56.7880TCP
                2025-03-10T19:42:14.770594+010020507451Malware Command and Control Activity Detected192.168.2.74973313.248.169.4880TCP
                2025-03-10T19:42:27.963281+010020507451Malware Command and Control Activity Detected192.168.2.7497393.33.130.19080TCP
                2025-03-10T19:42:41.579670+010020507451Malware Command and Control Activity Detected192.168.2.74974385.159.66.9380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-10T19:39:55.260609+010028554641A Network Trojan was detected192.168.2.74969251.222.255.20780TCP
                2025-03-10T19:39:57.780050+010028554641A Network Trojan was detected192.168.2.74969351.222.255.20780TCP
                2025-03-10T19:40:00.349519+010028554641A Network Trojan was detected192.168.2.74969451.222.255.20780TCP
                2025-03-10T19:40:08.657132+010028554641A Network Trojan was detected192.168.2.749696104.21.18.4580TCP
                2025-03-10T19:40:11.193306+010028554641A Network Trojan was detected192.168.2.749697104.21.18.4580TCP
                2025-03-10T19:40:13.766509+010028554641A Network Trojan was detected192.168.2.749698104.21.18.4580TCP
                2025-03-10T19:40:22.057441+010028554641A Network Trojan was detected192.168.2.749700203.161.42.7380TCP
                2025-03-10T19:40:24.601180+010028554641A Network Trojan was detected192.168.2.749701203.161.42.7380TCP
                2025-03-10T19:40:27.151281+010028554641A Network Trojan was detected192.168.2.749702203.161.42.7380TCP
                2025-03-10T19:40:36.263879+010028554641A Network Trojan was detected192.168.2.749704142.0.133.14980TCP
                2025-03-10T19:40:38.810130+010028554641A Network Trojan was detected192.168.2.749705142.0.133.14980TCP
                2025-03-10T19:40:41.368292+010028554641A Network Trojan was detected192.168.2.749706142.0.133.14980TCP
                2025-03-10T19:40:49.639559+010028554641A Network Trojan was detected192.168.2.74970813.248.169.4880TCP
                2025-03-10T19:40:52.193201+010028554641A Network Trojan was detected192.168.2.74970913.248.169.4880TCP
                2025-03-10T19:40:54.718023+010028554641A Network Trojan was detected192.168.2.74971013.248.169.4880TCP
                2025-03-10T19:41:02.881977+010028554641A Network Trojan was detected192.168.2.7497133.33.130.19080TCP
                2025-03-10T19:41:05.424796+010028554641A Network Trojan was detected192.168.2.7497143.33.130.19080TCP
                2025-03-10T19:41:07.930490+010028554641A Network Trojan was detected192.168.2.7497153.33.130.19080TCP
                2025-03-10T19:41:24.263952+010028554641A Network Trojan was detected192.168.2.749718199.59.243.22880TCP
                2025-03-10T19:41:27.138879+010028554641A Network Trojan was detected192.168.2.749719199.59.243.22880TCP
                2025-03-10T19:41:29.707386+010028554641A Network Trojan was detected192.168.2.749720199.59.243.22880TCP
                2025-03-10T19:41:38.955871+010028554641A Network Trojan was detected192.168.2.74972213.248.169.4880TCP
                2025-03-10T19:41:40.478797+010028554641A Network Trojan was detected192.168.2.74972313.248.169.4880TCP
                2025-03-10T19:41:43.074668+010028554641A Network Trojan was detected192.168.2.74972413.248.169.4880TCP
                2025-03-10T19:41:53.059498+010028554641A Network Trojan was detected192.168.2.74972643.251.56.7880TCP
                2025-03-10T19:41:55.638941+010028554641A Network Trojan was detected192.168.2.74972743.251.56.7880TCP
                2025-03-10T19:41:58.469458+010028554641A Network Trojan was detected192.168.2.74972843.251.56.7880TCP
                2025-03-10T19:42:07.131255+010028554641A Network Trojan was detected192.168.2.74973013.248.169.4880TCP
                2025-03-10T19:42:09.675207+010028554641A Network Trojan was detected192.168.2.74973113.248.169.4880TCP
                2025-03-10T19:42:12.234736+010028554641A Network Trojan was detected192.168.2.74973213.248.169.4880TCP
                2025-03-10T19:42:20.320857+010028554641A Network Trojan was detected192.168.2.7497353.33.130.19080TCP
                2025-03-10T19:42:22.873560+010028554641A Network Trojan was detected192.168.2.7497363.33.130.19080TCP
                2025-03-10T19:42:25.407206+010028554641A Network Trojan was detected192.168.2.7497373.33.130.19080TCP
                2025-03-10T19:42:34.659098+010028554641A Network Trojan was detected192.168.2.74974085.159.66.9380TCP
                2025-03-10T19:42:37.205823+010028554641A Network Trojan was detected192.168.2.74974185.159.66.9380TCP
                2025-03-10T19:42:39.768288+010028554641A Network Trojan was detected192.168.2.74974285.159.66.9380TCP
                2025-03-10T19:42:48.464917+010028554641A Network Trojan was detected192.168.2.749744162.43.104.17180TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: URGENT REQUEST FOR QUOTATION.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.quo1ybjmkhdqljoz.top/is6o/Avira URL Cloud: Label: malware
                Source: http://www.quo1ybjmkhdqljoz.top/is6o/?-xTT=j0lPqzQXq&Efgt_=BzQ9YNBxKh8dSSaiD5i7iIOB263e8CQAxf5JFiCTYVmLK080aBrOX/K0gKC4sHOntWbFJC0oYFvYzCzjPtDwHsrqWssUKlT7PjR4QI7T6LhUhgoBwCFSWBzMdTQd0Y/QIsDuxyB4C/OfAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: URGENT REQUEST FOR QUOTATION.exeVirustotal: Detection: 58%Perma Link
                Source: URGENT REQUEST FOR QUOTATION.exeReversingLabs: Detection: 57%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1373353315.0000000001050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1372904719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3372784799.0000000005400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3370961609.0000000002C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1374655242.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: PresentationHost.pdbGCTL source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000003.1318998743.0000000001114000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: PresentationHost.exe, 0000000E.00000002.3373669212.000000000550C000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 0000000E.00000002.3369398408.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000000.1449460739.0000000002FCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1665018757.00000000342EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.1373459199.00000000010A0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000004.00000002.1373459199.00000000010A0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: PresentationHost.pdb source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000003.1318998743.0000000001114000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: PresentationHost.exe, 0000000E.00000002.3373669212.000000000550C000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 0000000E.00000002.3369398408.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000000.1449460739.0000000002FCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1665018757.00000000342EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000002.3368633324.000000000030F000.00000002.00000001.01000000.0000000E.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000000.1448551228.000000000030F000.00000002.00000001.01000000.0000000E.sdmp
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 4x nop then mov ebx, dword ptr [ebp+08h]14_2_02DB4179
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 4x nop then pop edi14_2_02D9E980
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 4x nop then mov esp, ebp15_2_05406082
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 4x nop then mov esp, ebp15_2_0540616D
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 4x nop then pop edi15_2_05406821
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 4x nop then xor eax, eax15_2_0540C082
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 4x nop then pop edi15_2_05408897
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then mov ebx, 00000004h16_2_00000200740EC4DE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49695 -> 51.222.255.207:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49705 -> 142.0.133.149:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49696 -> 104.21.18.45:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49698 -> 104.21.18.45:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49701 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49691 -> 77.95.113.182:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49703 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49694 -> 51.222.255.207:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49716 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49706 -> 142.0.133.149:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49719 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49730 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49728 -> 43.251.56.78:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49707 -> 142.0.133.149:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49699 -> 104.21.18.45:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49724 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49725 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49727 -> 43.251.56.78:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49721 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49702 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49729 -> 43.251.56.78:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49692 -> 51.222.255.207:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49693 -> 51.222.255.207:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49722 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49718 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49713 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49697 -> 104.21.18.45:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49739 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49704 -> 142.0.133.149:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49710 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49732 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49712 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49723 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49741 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49708 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49731 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49715 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49737 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49700 -> 203.161.42.73:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49709 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49744 -> 162.43.104.171:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49733 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49736 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49740 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49742 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49714 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49726 -> 43.251.56.78:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49743 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49720 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49735 -> 3.33.130.190:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.79456217.xyz
                Source: DNS query: www.quantumeditor.xyz
                Source: DNS query: www.otonix.xyz
                Source: DNS query: www.espuna.xyz
                Source: DNS query: www.setrala.xyz
                Source: Joe Sandbox ViewIP Address: 142.0.133.149 142.0.133.149
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /aoc3/?-xTT=j0lPqzQXq&Efgt_=ENVuXSwqVK4LLJ4YJlZlMeYHrEcDnrku0UDTRKKNf697foRm0cYEZ1DAoMd0qHiAIGHFieBWVgv/TRDvXeOlw4G9Opm8ggwo/DoDpEL4mvHpxJobBgWxb1sUG01nChEAO+Nranm6WoRc HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.sixfiguredigital.groupConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /d70e/?Efgt_=l5xQA5K4b7aqfogvgthhEW2Kij6uBj4yo6Xr1d/5ybb5OsrKimt0hea7nMwmYGsyz9DiR+F2IdsEY8sqakHWFDZUIVUtyxsn/h6x9Up8uxf1vL5lgDICZZH9HwT/RWpiYmScg0tnqT+H&-xTT=j0lPqzQXq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.playav.mobiConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /i449/?-xTT=j0lPqzQXq&Efgt_=o6aNrPJ8Vgz7qr0kqZZ8+M9WN1LfFZsA5dfKdpZrkUJWipFpw/MtjZu4OErTJsSr7rDGASsMPw9ZK2KHHuFx5ABVnGW1c4pSTmK7TDtuBvC880dWppuzai5TVpdZiG0Vsj1922hjZtTc HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.eedpisalgenius.shopConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /04t4/?Efgt_=z3mRD9CpBO+9TEsB8KeFK07qchdgYy0KFRU8DceMFbMfFgTaDd0hbIYWywfeaTrgjghZEseGMRK0IE2XxKDTe4F/aHdB7NO/vWJ7U+JegsPPu9KEbLbjLPfxY645l2WRAuOafAbmqZon&-xTT=j0lPqzQXq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.thrivay.websiteConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /q7ap/?Efgt_=2QcLCv3cch7dZL7s4iq4P0BahgiXnmhT267zkT/xic4HTOjDb+i+cbqxNFfPkyyXEtlXhdON3BxQ/RTEtYdDVzNO1QRT2ZN+uvkSNQdSXA7Btp6V87d/9qU/ekr1HuHU2pxaPDeGkUac&-xTT=j0lPqzQXq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.79456217.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /twh5/?Efgt_=VNpmgVL8zztOUbgFg9Ftn4NFS1YLlIGOUABJqsL8a9/ZVZyI9pmuikEHmmF/lXXKyNrQMbjIObZNg2ZsjMoRV/WmnnVoLnfIEDAN8UJx5JG8PKHjR1xZYn9tmvdsa9RNg1QHrDfuaTRc&-xTT=j0lPqzQXq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.quantumeditor.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /x6tl/?-xTT=j0lPqzQXq&Efgt_=EsQLp0lSjrnUQUgriR5/q4Ijg7i3lRfcTGMaceGVIHAu2C5GuL5Da4IDJhxoGeH6WEwepDk4QE4uzXSXMLW/tAdxo8YgHERPoprBqmV5wGw45GwsJDCmVICKddqQ+RotCmh0taaz6K+q HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.valorpackaging.shopConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /7nfd/?-xTT=j0lPqzQXq&Efgt_=t0iMLGZXRyzjbtJpEBERwS1dc8TFHGKLLPb1weqEE74JLntR+dCrlLHKB6/FXAnnSRI7IZYuDSoOCm40oE4c6A2aV6Z9r0bh+IlNDqFm5e+hsdKMN9xNJHp9Td96G1+bmZNRGhU5xuyj HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.scottish.cafeConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /8o59/?Efgt_=0cmo3Tm81IW2+X+BLyjB3kLSVSsysYXv7d+8I3B89oh/1yC7Aa7uHRVoxd1HW8YUp66By70CJ4M5XGzZECK73QqAw8Z//qRUVAMWwdlbcRxRixk44zkYKi7PFKa6LbHIM2Whu6eC1+cQ&-xTT=j0lPqzQXq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.otonix.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /is6o/?-xTT=j0lPqzQXq&Efgt_=BzQ9YNBxKh8dSSaiD5i7iIOB263e8CQAxf5JFiCTYVmLK080aBrOX/K0gKC4sHOntWbFJC0oYFvYzCzjPtDwHsrqWssUKlT7PjR4QI7T6LhUhgoBwCFSWBzMdTQd0Y/QIsDuxyB4C/Of HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.quo1ybjmkhdqljoz.topConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /mzf9/?Efgt_=VwMzyVeI3W9yOBnRaR+LF9uY360A1Ix6ZCcujSeHwM8iEp8lEQ16OTI6knDZMFNitbZGXG3dIXdMrPnIQS/ezuQrinfPOqRcNMPhWKdR0YvVt2hrovA9VjoMv8z6kw4zhwdQ1qr9kBA/&-xTT=j0lPqzQXq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.espuna.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /om19/?Efgt_=sr0MsLXI63IYsoWNjP5cm7PKhF4cUJBFVF34E9rvFfpa9gg3EUzSHXQ0cC0ua0VhnfugJ0Um4HyVQVVXkSzNZHGuxGrfxkuOzKgmGlTFgi+u+7yEmQOH43Hb38zNPzIrc6mRthWbm2aA&-xTT=j0lPqzQXq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.sirens94.netConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficHTTP traffic detected: GET /woe3/?Efgt_=h1plLNJH8IdDntEr7zEFt458DzTI5R01lP+jXnBAzwvaS6f9N/G3ZDnPYtaTOkgSqo1lvS+gir6y/uMgKrrPz7sAWPQzfYgSP0JMdtC+gVbbMB+fAyqt8PaAl7mYOCPsJTg9NSJzQkoW&-xTT=j0lPqzQXq HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usHost: www.setrala.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0
                Source: global trafficDNS traffic detected: DNS query: www.sixfiguredigital.group
                Source: global trafficDNS traffic detected: DNS query: www.playav.mobi
                Source: global trafficDNS traffic detected: DNS query: www.eedpisalgenius.shop
                Source: global trafficDNS traffic detected: DNS query: www.thrivay.website
                Source: global trafficDNS traffic detected: DNS query: www.79456217.xyz
                Source: global trafficDNS traffic detected: DNS query: www.quantumeditor.xyz
                Source: global trafficDNS traffic detected: DNS query: www.valorpackaging.shop
                Source: global trafficDNS traffic detected: DNS query: www.theinitiative.click
                Source: global trafficDNS traffic detected: DNS query: www.scottish.cafe
                Source: global trafficDNS traffic detected: DNS query: www.otonix.xyz
                Source: global trafficDNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
                Source: global trafficDNS traffic detected: DNS query: www.espuna.xyz
                Source: global trafficDNS traffic detected: DNS query: www.sirens94.net
                Source: global trafficDNS traffic detected: DNS query: www.setrala.xyz
                Source: global trafficDNS traffic detected: DNS query: www.nexstep.live
                Source: unknownHTTP traffic detected: POST /d70e/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.playav.mobiContent-Length: 218Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.playav.mobiReferer: http://www.playav.mobi/d70e/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:35.0) Gecko/20100101 Firefox/35.0Data Raw: 45 66 67 74 5f 3d 6f 37 5a 77 44 4e 47 6f 64 4d 75 53 53 73 73 35 70 59 74 31 44 42 6e 42 71 51 32 54 50 47 39 4a 74 5a 36 41 32 63 4c 41 79 5a 71 65 4f 39 32 6b 7a 47 51 6b 71 49 4b 6f 67 63 30 4b 53 58 73 70 32 74 48 67 41 4f 52 2f 43 4d 41 46 63 4d 59 49 46 52 75 4a 65 6b 49 77 55 51 5a 36 78 7a 49 49 33 78 2b 75 39 57 31 76 78 67 48 39 6b 66 52 43 67 44 34 68 53 61 2b 70 4a 68 43 33 63 6e 70 31 58 78 61 68 76 54 5a 56 6f 57 57 4b 72 58 30 66 50 5a 77 72 65 35 57 58 4d 45 6f 4c 54 6b 7a 30 4e 74 42 50 36 4d 4d 56 34 44 32 42 7a 61 43 73 74 54 2b 2b 65 63 6f 62 73 46 50 7a 6e 54 4a 77 2f 57 58 6a 37 4f 65 54 65 79 78 51 38 6c 62 49 4c 67 3d 3d Data Ascii: Efgt_=o7ZwDNGodMuSSss5pYt1DBnBqQ2TPG9JtZ6A2cLAyZqeO92kzGQkqIKogc0KSXsp2tHgAOR/CMAFcMYIFRuJekIwUQZ6xzII3x+u9W1vxgH9kfRCgD4hSa+pJhC3cnp1XxahvTZVoWWKrX0fPZwre5WXMEoLTkz0NtBP6MMV4D2BzaCstT++ecobsFPznTJw/WXj7OeTeyxQ8lbILg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Mon, 10 Mar 2025 18:39:39 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:39:55 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:39:57 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:00 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:02 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 62 6c 75 65 62 69 72 64 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 74 73 6c 69 62 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 61 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 6c 69 62 2f 6d 6f 6d 65 6e 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 50 6c 75 67 69 6e 2f 4c 4f 47 4f 53 65 74 74 69 6e 67 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 20 73 72 63 3d 22 2f 45 6e 74 72 79 50 6f 69 6e 74 2f 61 70 70 5f 34 30 35 34 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1cf<!DOCTYPE html><html><head> <meta charset="utf-8"> <script src="/EntryPoint/lib/bluebird.min.js"></script> <script src="/EntryPoint/lib/tslib.js"></script> <script src="/EntryPoint/lib/main.js"></script> <script src="/EntryPoint/lib/moment.js"></script> <script src="/Plugin/LOGOSetting.js" charset="utf-8"></script> <script src="/EntryPoint/app_4054.js"></script></head><body> <div id="content"></div></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:21 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:24 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:27 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:29 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:36 GMTServer: ApacheContent-Length: 262Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 37 39 34 35 36 32 31 37 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.79456217.xyz Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:38 GMTServer: ApacheContent-Length: 262Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 37 39 34 35 36 32 31 37 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.79456217.xyz Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:41 GMTServer: ApacheContent-Length: 262Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 37 39 34 35 36 32 31 37 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.79456217.xyz Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Mar 2025 18:40:44 GMTServer: ApacheContent-Length: 262Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 37 39 34 35 36 32 31 37 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.79456217.xyz Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 10 Mar 2025 18:42:41 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-03-10T18:42:46.4573642Z
                Source: URGENT REQUEST FOR QUOTATION.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: URGENT REQUEST FOR QUOTATION.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: URGENT REQUEST FOR QUOTATION.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000002.998995023.0000000002933000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PresentationHost.exe, 0000000E.00000002.3373669212.00000000058F4000.00000004.10000000.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3370825596.00000000033B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1665018757.00000000346D4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
                Source: H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3372784799.0000000005452000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.setrala.xyz
                Source: H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3372784799.0000000005452000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.setrala.xyz/woe3/
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: PresentationHost.exe, 0000000E.00000002.3373669212.0000000005DAA000.00000004.10000000.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3370825596.000000000386A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: PresentationHost.exe, 0000000E.00000002.3373669212.00000000068A8000.00000004.10000000.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3370825596.0000000004368000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://error.skycloud.tw/system/error?code=400
                Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                Source: svchost.exe, 00000006.00000003.1204257794.0000029DF8D90000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: PresentationHost.exe, 0000000E.00000002.3369398408.00000000031F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.co
                Source: PresentationHost.exe, 0000000E.00000002.3369398408.00000000031F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: PresentationHost.exe, 0000000E.00000002.3369398408.00000000031F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: PresentationHost.exe, 0000000E.00000002.3369398408.00000000031F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: PresentationHost.exe, 0000000E.00000002.3369398408.00000000031F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033t
                Source: PresentationHost.exe, 0000000E.00000002.3369398408.00000000031F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: PresentationHost.exe, 0000000E.00000002.3369398408.00000000031F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: qmgr.db.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
                Source: URGENT REQUEST FOR QUOTATION.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: PresentationHost.exe, 0000000E.00000002.3373669212.0000000006584000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 0000000E.00000002.3376879702.0000000007EE0000.00000004.00000800.00020000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3370825596.0000000004044000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.00000000081CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1373353315.0000000001050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1372904719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3372784799.0000000005400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3370961609.0000000002C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1374655242.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: URGENT REQUEST FOR QUOTATION.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0042CE83 NtClose,4_2_0042CE83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112B60 NtClose,LdrInitializeThunk,4_2_01112B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01112DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01112C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011135C0 NtCreateMutant,LdrInitializeThunk,4_2_011135C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01114340 NtSetContextThread,4_2_01114340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01114650 NtSuspendThread,4_2_01114650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112B80 NtQueryInformationFile,4_2_01112B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112BA0 NtEnumerateValueKey,4_2_01112BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112BF0 NtAllocateVirtualMemory,4_2_01112BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112BE0 NtQueryValueKey,4_2_01112BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112AB0 NtWaitForSingleObject,4_2_01112AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112AD0 NtReadFile,4_2_01112AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112AF0 NtWriteFile,4_2_01112AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112D10 NtMapViewOfSection,4_2_01112D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112D00 NtSetInformationFile,4_2_01112D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112D30 NtUnmapViewOfSection,4_2_01112D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112DB0 NtEnumerateKey,4_2_01112DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112DD0 NtDelayExecution,4_2_01112DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112C00 NtQueryInformationProcess,4_2_01112C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112C60 NtCreateKey,4_2_01112C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112CA0 NtQueryInformationToken,4_2_01112CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112CC0 NtQueryVirtualMemory,4_2_01112CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112CF0 NtOpenProcess,4_2_01112CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112F30 NtCreateSection,4_2_01112F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112F60 NtCreateProcessEx,4_2_01112F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112F90 NtProtectVirtualMemory,4_2_01112F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112FB0 NtResumeThread,4_2_01112FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112FA0 NtQuerySection,4_2_01112FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112FE0 NtCreateFile,4_2_01112FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112E30 NtWriteVirtualMemory,4_2_01112E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112E80 NtReadVirtualMemory,4_2_01112E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112EA0 NtAdjustPrivilegesToken,4_2_01112EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112EE0 NtQueueApcThread,4_2_01112EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01113010 NtOpenDirectoryObject,4_2_01113010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01113090 NtSetValueKey,4_2_01113090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011139B0 NtGetContextThread,4_2_011139B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01113D10 NtOpenProcessToken,4_2_01113D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01113D70 NtOpenThread,4_2_01113D70
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_028B3E400_2_028B3E40
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_028BD6FC0_2_028BD6FC
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_06BC9A300_2_06BC9A30
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_06BC153F0_2_06BC153F
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_06BC35600_2_06BC3560
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_06BC35500_2_06BC3550
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_06BC2C380_2_06BC2C38
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_06BC39980_2_06BC3998
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_06BC19980_2_06BC1998
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_06BC39890_2_06BC3989
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_083600400_2_08360040
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_083634F80_2_083634F8
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_0836FB690_2_0836FB69
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_083653100_2_08365310
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_083634E90_2_083634E9
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeCode function: 0_2_083665180_2_08366518
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00418D534_2_00418D53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E8034_2_0040E803
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004011204_2_00401120
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040421E4_2_0040421E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0042F4634_2_0042F463
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004024204_2_00402420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004104B34_2_004104B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004026C04_2_004026C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004106D34_2_004106D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004026F94_2_004026F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402EB04_2_00402EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E6B34_2_0040E6B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00416F504_2_00416F50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00416F534_2_00416F53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E7F94_2_0040E7F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D01004_2_010D0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117A1184_2_0117A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011681584_2_01168158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A01AA4_2_011A01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011981CC4_2_011981CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011720004_2_01172000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119A3524_2_0119A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A03E64_2_011A03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EE3F04_2_010EE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011802744_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011602C04_2_011602C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E05354_2_010E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A05914_2_011A0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011924464_2_01192446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0118E4F64_2_0118E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011047504_2_01104750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E07704_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DC7C04_2_010DC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FC6E04_2_010FC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F69624_2_010F6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A04_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011AA9A64_2_011AA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E28404_2_010E2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EA8404_2_010EA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C68B84_2_010C68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E8F04_2_0110E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119AB404_2_0119AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01196BD74_2_01196BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA804_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EAD004_2_010EAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F8DBF4_2_010F8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DADE04_2_010DADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0C004_2_010E0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180CB54_2_01180CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0CF24_2_010D0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01100F304_2_01100F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01122F284_2_01122F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01154F404_2_01154F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115EFA04_2_0115EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D2FC84_2_010D2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010ECFE04_2_010ECFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119EE264_2_0119EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0E594_2_010E0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119CE934_2_0119CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F2E904_2_010F2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119EEDB4_2_0119EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011AB16B4_2_011AB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0111516C4_2_0111516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CF1724_2_010CF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EB1B04_2_010EB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E70C04_2_010E70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0118F0CC4_2_0118F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011970E94_2_011970E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119F0E04_2_0119F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119132D4_2_0119132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CD34C4_2_010CD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0112739A4_2_0112739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E52A04_2_010E52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FB2C04_2_010FB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011812ED4_2_011812ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011975714_2_01197571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117D5B04_2_0117D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119F43F4_2_0119F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D14604_2_010D1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119F7B04_2_0119F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011916CC4_2_011916CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011759104_2_01175910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E99504_2_010E9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FB9504_2_010FB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114D8004_2_0114D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E38E04_2_010E38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119FB764_2_0119FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FFB804_2_010FFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01155BF04_2_01155BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0111DBF94_2_0111DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119FA494_2_0119FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01197A464_2_01197A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01153A6C4_2_01153A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01125AA04_2_01125AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117DAAC4_2_0117DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0118DAC64_2_0118DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01191D5A4_2_01191D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E3D404_2_010E3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01197D734_2_01197D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FFDC04_2_010FFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01159C324_2_01159C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119FCF24_2_0119FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119FF094_2_0119FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E1F924_2_010E1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119FFB14_2_0119FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E9EB04_2_010E9EB0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F765D014_2_04F765D0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F765B214_2_04F765B2
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2053514_2_04F20535
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F3C6E014_2_04F3C6E0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2077014_2_04F20770
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F4475014_2_04F44750
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F6600014_2_04F66000
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F1010014_2_04F10100
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04FA02C014_2_04FA02C0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2E3F014_2_04F2E3F0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F10CF214_2_04F10CF2
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F20C0014_2_04F20C00
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F28DC014_2_04F28DC0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F38DBF14_2_04F38DBF
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2ED7A14_2_04F2ED7A
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2AD0014_2_04F2AD00
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F32ED914_2_04F32ED9
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F20E5914_2_04F20E59
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F12FC814_2_04F12FC8
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F9EFA014_2_04F9EFA0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F94F4014_2_04F94F40
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F40F3014_2_04F40F30
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F62F2814_2_04F62F28
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F128F014_2_04F128F0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F068F114_2_04F068F1
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F4E8F014_2_04F4E8F0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F5889014_2_04F58890
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2A84014_2_04F2A840
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F3696214_2_04F36962
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F1EA8014_2_04F1EA80
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F22A4514_2_04F22A45
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F674E014_2_04F674E0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2349714_2_04F23497
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2B73014_2_04F2B730
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2B1B014_2_04F2B1B0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F0F17214_2_04F0F172
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F5516C14_2_04F5516C
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F3D2F014_2_04F3D2F0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F252A014_2_04F252A0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F233F314_2_04F233F3
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F99C3214_2_04F99C32
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F39C2014_2_04F39C20
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F3FDC014_2_04F3FDC0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F23D4014_2_04F23D40
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F29EB014_2_04F29EB0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F21F9214_2_04F21F92
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F238E014_2_04F238E0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F8D80014_2_04F8D800
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F259DA14_2_04F259DA
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F1197914_2_04F11979
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F2995014_2_04F29950
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F3B95014_2_04F3B950
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F93A6C14_2_04F93A6C
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F95BF014_2_04F95BF0
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F5DBF914_2_04F5DBF9
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F3FB8014_2_04F3FB80
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_02DA251014_2_02DA2510
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_02D9D34014_2_02D9D340
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_02D9D33714_2_02D9D337
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_02D9D56014_2_02D9D560
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0542E56215_2_0542E562
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0540F5B215_2_0540F5B2
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0540F7D215_2_0540F7D2
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0541478215_2_05414782
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0540D7B215_2_0540D7B2
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_05417E5215_2_05417E52
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0540D90215_2_0540D902
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0541604F15_2_0541604F
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0541605215_2_05416052
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0540D8F815_2_0540D8F8
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0540331D15_2_0540331D
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 16_2_00000200740FA2A716_2_00000200740FA2A7
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 16_2_00000200740FA75C16_2_00000200740FA75C
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 16_2_00000200740FA3C416_2_00000200740FA3C4
                Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 16_2_00000200740F982816_2_00000200740F9828
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 010CB970 appears 275 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01127E54 appears 100 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0114EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0115F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01115130 appears 57 times
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: String function: 04F67E54 appears 97 times
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: String function: 04F8EA12 appears 37 times
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: invalid certificate
                Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000002.998995023.0000000002944000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs URGENT REQUEST FOR QUOTATION.exe
                Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000002.1013055915.0000000006EB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs URGENT REQUEST FOR QUOTATION.exe
                Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000002.1008152362.00000000051E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs URGENT REQUEST FOR QUOTATION.exe
                Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000002.1015454791.00000000083FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs URGENT REQUEST FOR QUOTATION.exe
                Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000002.1015454791.00000000083FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs URGENT REQUEST FOR QUOTATION.exe
                Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000002.998166623.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs URGENT REQUEST FOR QUOTATION.exe
                Source: URGENT REQUEST FOR QUOTATION.exeBinary or memory string: OriginalFilenamekQZo.exe. vs URGENT REQUEST FOR QUOTATION.exe
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, NBTWliVixP5LrfaYVa.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, NBTWliVixP5LrfaYVa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, NBTWliVixP5LrfaYVa.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, EBDIbTw4pY7I2rxOyU.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, EBDIbTw4pY7I2rxOyU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/10@16/11
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENT REQUEST FOR QUOTATION.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vr1kqarn.suh.ps1Jump to behavior
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: URGENT REQUEST FOR QUOTATION.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PresentationHost.exe, 0000000E.00000002.3369398408.000000000325D000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, 0000000E.00000002.3369398408.0000000003252000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, 0000000E.00000002.3369398408.0000000003280000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, 0000000E.00000002.3369398408.000000000322F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: URGENT REQUEST FOR QUOTATION.exeVirustotal: Detection: 58%
                Source: URGENT REQUEST FOR QUOTATION.exeReversingLabs: Detection: 57%
                Source: unknownProcess created: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe"
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe"
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeProcess created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"
                Source: C:\Windows\SysWOW64\PresentationHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe"Jump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeProcess created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: PresentationHost.pdbGCTL source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000003.1318998743.0000000001114000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: PresentationHost.exe, 0000000E.00000002.3373669212.000000000550C000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 0000000E.00000002.3369398408.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000000.1449460739.0000000002FCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1665018757.00000000342EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.1373459199.00000000010A0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000004.00000002.1373459199.00000000010A0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: PresentationHost.pdb source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000003.1318998743.0000000001114000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: PresentationHost.exe, 0000000E.00000002.3373669212.000000000550C000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 0000000E.00000002.3369398408.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000000.1449460739.0000000002FCC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.1665018757.00000000342EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000002.3368633324.000000000030F000.00000002.00000001.01000000.0000000E.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000000.1448551228.000000000030F000.00000002.00000001.01000000.0000000E.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, NBTWliVixP5LrfaYVa.cs.Net Code: iHeICQhhhl System.Reflection.Assembly.Load(byte[])
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: 0x8D7CCA0E [Wed Mar 22 03:20:46 2045 UTC]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00418871 push eax; iretd 4_2_00418872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041F834 push ss; iretd 4_2_0041F835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004120A7 push 3563E107h; iretd 4_2_004120AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040216F push ss; iretd 4_2_00402170
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00403170 push eax; ret 4_2_00403172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040D1AD push es; iretd 4_2_0040D1C1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00413A53 push ebx; iretd 4_2_00413A5F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00401A1E push ss; iretd 4_2_00401A51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004082C5 push edi; iretd 4_2_004082C6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00401AE8 push ss; retf 4_2_00401AEA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00401A86 push ss; iretd 4_2_00401A51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00414B20 push 6BF5C304h; retf 4_2_00414B3E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00401576 push ss; iretd 4_2_0040158F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040166C push ss; retf 4_2_00401672
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004017E6 push ss; iretd 4_2_004017EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004197AC push 00000037h; retf 4_2_004197E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D09AD push ecx; mov dword ptr [esp], ecx4_2_010D09B6
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F109AD push ecx; mov dword ptr [esp], ecx14_2_04F109B6
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04F67E99 push ecx; ret 14_2_04F67EAC
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_04EE1FEC push eax; iretd 14_2_04EE1FED
                Source: C:\Windows\SysWOW64\PresentationHost.exeCode function: 14_2_02D9EF34 push 3563E107h; iretd 14_2_02D9EF39
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_05413C1F push 6BF5C304h; retf 15_2_05413C3D
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_05412F92 push ds; iretd 15_2_05413007
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_054111A6 push 3563E107h; iretd 15_2_054111AB
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_05400002 push ss; retf 15_2_0540000D
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0540902A push edx; retf 15_2_0540902D
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_05409090 push esp; ret 15_2_05409092
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_054188AF push 00000037h; retf 15_2_054188DF
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeCode function: 15_2_0540735B pushad ; iretd 15_2_05407365
                Source: URGENT REQUEST FOR QUOTATION.exeStatic PE information: section name: .text entropy: 7.89484752571861
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, zvN87Kt09WDLmfTb9p.csHigh entropy of concatenated method names: 'eqfY8A5bF7', 'PoCYOHKgOK', 'FiSYC0O5WA', 'gwHYemK0ET', 'OqCYj4OoF9', 'd1hYDVPlnw', 'DEpYrZUuNh', 'DtxYwSnlC1', 'YobY1r1UcK', 'zusYSFxYFu'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, EBDIbTw4pY7I2rxOyU.csHigh entropy of concatenated method names: 'VXRaqtYpqR', 'W1EacTmYoA', 'URxad7JHeY', 'DbMapiC2Ji', 'kdUavaJ0ce', 'EfvamhqJtv', 'tW1aAx0QUA', 'nfiaRbJEXm', 'li0aTSFtRk', 'xW5a6xLcFd'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, AKnucSSMLnnp9Lmdx4.csHigh entropy of concatenated method names: 'd3x5jTAHcE', 'GDv5rJ61Mg', 'fbcXy5a0ha', 'B88X7wedeb', 'oBAXGTCcV4', 'iZBX053Ept', 'Cb7XiKhlit', 'piVXs3vAZ0', 'vswXtOdZa1', 'VWIXuHyVVs'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, jGmtiBAXhkdTpPB4AY.csHigh entropy of concatenated method names: 'pv6FgFyNjd', 'fIsFlxf0i2', 'AnNFFMWanN', 'B3iF2D5hiG', 'wO9FEMZsww', 'ynQFxJrhov', 'Dispose', 'L3VKf7BNAI', 'ydfKa6eBIN', 'DqAKXdGylY'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, LZ1dCTiSrQyVD57FXb.csHigh entropy of concatenated method names: 'fdfYf8UBOm', 'xIvYXpymaX', 'L6BYkT0iTQ', 'ebsk6x3YrB', 'QBwkzG8PMb', 'wt9YbopfQg', 'ytxY4hGBhp', 'vOcYo2XreN', 'Ct1YUiCrtF', 'fBJYIdPulm'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, lSa3Q2asufZCLbHKWn.csHigh entropy of concatenated method names: 'Dispose', 'jdT4TpPB4A', 'bpyoZN0TjW', 'z5IQ7EPDbs', 'jbt46MdJZg', 'OVq4z9lT1B', 'ProcessDialogKey', 'T2oobQZieX', 'coGo4UHrKS', 'ULuooNxCBh'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, lrA8ZPJYjaUrDe01qC.csHigh entropy of concatenated method names: 'CxMkNDfhL2', 'YW5kaZN35l', 'Lnxk58UfAV', 'OcPkYc0Lrp', 'SjbkVkgQKI', 'O3L5vHlQga', 'MFC5mC2kkj', 'ufV5AriRLM', 'I0c5Rkuge8', 'GHa5Tj94Qo'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, NBTWliVixP5LrfaYVa.csHigh entropy of concatenated method names: 'ajQUNRvQYw', 'vbJUfSFGrK', 'vGeUavJsCK', 'R7oUX89SZU', 'hLgU5kHNH3', 'H32UkJA7MF', 'hgCUYRDDxY', 'vSOUVkS2XN', 'LenUHMONKh', 'otKUhIAVGg'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, bQZieXTUoGUHrKSmLu.csHigh entropy of concatenated method names: 'JJJFJLAcXE', 'vFEFZSaVZJ', 'aIKFyIKDHe', 'wh1F7k4d6N', 'dtHFGCseYO', 'NT5F0hgtfB', 'JGFFihQDHY', 'jo9FsYnIfs', 'JVqFtoE8lV', 'SVIFuWpp9M'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, LP8qy8Ipmakp2orFrc.csHigh entropy of concatenated method names: 'C714YBDIbT', 'bpY4V7I2rx', 'Om84hFEKE2', 'sAP4WSjKnu', 'Qmd4gx4HrA', 'yZP4QYjaUr', 'lLftsNVGCwEwnggLvM', 'C9dZLQZ0ZX2aX6x9wX', 'rRa44u6iso', 'wCS4UBKvEn'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, wUFGvqpadXLyYtXa07.csHigh entropy of concatenated method names: 'th2lhnWul4', 'CpclWybwK5', 'ToString', 'E54lfM2yLQ', 'awulaqKr4M', 'bVglXsro0k', 'Ubml5WZ0U5', 'DewlkYeUJB', 'zDVlY3Zn1w', 'FfIlV2xa5E'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, D3f0Xd44x8lhhxOKAHQ.csHigh entropy of concatenated method names: 'KsX96ekwJp', 'tbD9zQJYe1', 'Ord2bXYFaH', 'Atj249uVYO', 'sKn2o8sbXb', 'Xcm2UaFxmx', 'Oda2IycaHN', 'eZj2NNWWeS', 'A432fqgZZq', 'hLT2aMhnkC'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, ecKDkvolKskuJkYfZx.csHigh entropy of concatenated method names: 'f6bCIlAdK', 'Pu7eCtSFo', 'PnkDAX2T1', 'exZrmSahX', 'yuO1bUdip', 'z07SkOQQJ', 'NL4tQshUGCJHq1PTWV', 'Qqr0UaqjvQT113S1wW', 'id5KrGCYy', 'om79NlWP3'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, C8rJXB1m8FEKE2FAPS.csHigh entropy of concatenated method names: 'YyhXe90Bh6', 'guuXD9JA7j', 'MpZXwFBGZN', 'q3UX1Tgl9j', 'paqXg76qbI', 'GkGXQ3SMxP', 'aqyXlxNLx1', 'tmbXKxsSjF', 'NQ7XFEsXSp', 'rsZX9qdcak'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, S5u7PHqfKxdChB8hT1.csHigh entropy of concatenated method names: 'UiRguXtcmK', 'yWngPSiNE5', 'fWMgqfyPwu', 'JcTgcrpCuW', 'GWTgZNFN2i', 'bMigyVgxXt', 'Gw1g7Ograe', 'MyCgG65n2h', 'UlIg0C0o5L', 'sDjgiesKL3'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, exCBhN6lAkGPsDEKit.csHigh entropy of concatenated method names: 'gvZ9XH0N29', 'E7Y95B37Ie', 'ziu9k29pYQ', 'B949YOOAVO', 'tbC9FhkA5u', 'lsv9Vpc4cX', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, LbasNM4bYoATQ68vVYf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'n619BSYrso', 'syQ9P219cE', 'ijP9L17tWp', 'LHG9qGq1Vb', 'WFA9cfskAM', 'laX9d4Ogub', 'zSe9pk0MZb'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, Wxuhy64IpH8pef2SR6Y.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i173FIQZgo', 's0k39GGNgn', 'N4Y32hC8h3', 'saw33QqB2C', 'xvX3E5CmqM', 'CgK3nIsS1s', 'IGb3xpfGuU'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, jcZUsgXLv6qVqH8AmD.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'eNQoTSkiPZ', 'KuAo6jGvXE', 'L5gozAHXLl', 'FIuUbMKa00', 'v2MU4jqQpx', 'emOUoxmJNr', 'O8JUUs3NSF', 'qAvZYMoRFh0JhSaViLF'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, ammuoQ4U6pVCANNEsx0.csHigh entropy of concatenated method names: 'JkS26Qx2Ur', 's1D2zcJyCX', 'bxs3bEIIZp', 'Dbus73RugE88mycFcQp', 'chZ14eRGiWDOxhAM4mN', 'awET9xRVCFkuY1w3UaS', 'dco5PfRZUOqOacnnWOb'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, UEM3NsztOoABrM4VII.csHigh entropy of concatenated method names: 'B7H9DHGNv4', 'pA89wOHEJv', 'wMs91CuWoc', 'KDx9JSZnwg', 'Dqd9ZYBXH7', 'rvt97hyEQV', 'qPf9Grotn4', 'UD19xso2Xd', 'yf998RUH1I', 'yVp9Ov8vEm'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, zpgQiOmYGoACbSgC01.csHigh entropy of concatenated method names: 'HRQlRs7n5p', 'uX1l6VQOma', 'WA1KbrjIFt', 'i3FK41ODbi', 'aSBlBrYAtH', 'L2ClPcBhyy', 'JQrlL9Itn2', 'vUVlqmX3wg', 'SALlcYiSll', 'taQld3Sj4I'
                Source: 0.2.URGENT REQUEST FOR QUOTATION.exe.6eb0000.5.raw.unpack, LIhflyLyObfy55mLim.csHigh entropy of concatenated method names: 'oSYMwWOcHX', 'zlOM10HNjk', 'mTuMJrg59f', 'c4HMZoxGYk', 'KJKM7oQ4Om', 'mnqMGWFRB6', 'iWmMiIU6rj', 'n08Ms8tZgu', 'hPKMuRL6lN', 's3pMBDdbav'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: URGENT REQUEST FOR QUOTATION.exe PID: 7092, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFC1B60D324
                Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFC1B60D7E4
                Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFC1B60D944
                Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFC1B60D504
                Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFC1B60D544
                Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFC1B60D1E4
                Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFC1B610154
                Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFC1B60DA44
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: 28E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: 85F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: 95F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: 97E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: A7E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0111096E rdtsc 4_2_0111096E
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4173Jump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeWindow / User API: threadDelayed 984Jump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeWindow / User API: threadDelayed 8986Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\PresentationHost.exeAPI coverage: 2.2 %
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe TID: 7112Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6608Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 6072Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 4544Thread sleep count: 984 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 4544Thread sleep time: -1968000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 4544Thread sleep count: 8986 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 4544Thread sleep time: -17972000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exe TID: 5804Thread sleep time: -70000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exe TID: 5804Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exe TID: 5804Thread sleep time: -51000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exe TID: 5804Thread sleep count: 39 > 30Jump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exe TID: 5804Thread sleep time: -39000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\PresentationHost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: omVMwareV
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696492231n
                Source: 8510T71-3.14.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 8510T71-3.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 8510T71-3.14.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,1169649
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696492231t
                Source: 8510T71-3.14.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 8510T71-3.14.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 8510T71-3.14.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 8510T71-3.14.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: svchost.exe, 00000006.00000002.3373465534.0000029DF9058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3370692100.0000029DF382B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 8510T71-3.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 8510T71-3.14.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .co.inVMware20,11696492231d
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,116
                Source: 8510T71-3.14.drBinary or memory string: discord.comVMware20,11696492231f
                Source: firefox.exe, 00000010.00000002.1666346216.000002007434C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
                Source: 8510T71-3.14.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 8510T71-3.14.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 8510T71-3.14.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20F
                Source: 8510T71-3.14.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 8510T71-3.14.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 8510T71-3.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 8510T71-3.14.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: URGENT REQUEST FOR QUOTATION.exe, 00000000.00000002.1014757554.0000000008390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}p
                Source: 8510T71-3.14.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 8510T71-3.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 8510T71-3.14.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: 8510T71-3.14.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 8510T71-3.14.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 8510T71-3.14.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,1169649223g
                Source: 8510T71-3.14.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 8510T71-3.14.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n PasswordVMware20,11696492231x
                Source: 8510T71-3.14.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: PresentationHost.exe, 0000000E.00000002.3369398408.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3369821001.0000000000FC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 8510T71-3.14.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 8510T71-3.14.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 8510T71-3.14.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20z
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rokers - COM.HKVMware20,11696492231
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20
                Source: 8510T71-3.14.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: PresentationHost.exe, 0000000E.00000002.3377050709.000000000822D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ist test formVMware20,11%
                Source: 8510T71-3.14.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0111096E rdtsc 4_2_0111096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00417EE3 LdrLoadDll,4_2_00417EE3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01190115 mov eax, dword ptr fs:[00000030h]4_2_01190115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117A118 mov ecx, dword ptr fs:[00000030h]4_2_0117A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117A118 mov eax, dword ptr fs:[00000030h]4_2_0117A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117A118 mov eax, dword ptr fs:[00000030h]4_2_0117A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117A118 mov eax, dword ptr fs:[00000030h]4_2_0117A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01100124 mov eax, dword ptr fs:[00000030h]4_2_01100124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01168158 mov eax, dword ptr fs:[00000030h]4_2_01168158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01164144 mov eax, dword ptr fs:[00000030h]4_2_01164144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01164144 mov eax, dword ptr fs:[00000030h]4_2_01164144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01164144 mov ecx, dword ptr fs:[00000030h]4_2_01164144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01164144 mov eax, dword ptr fs:[00000030h]4_2_01164144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01164144 mov eax, dword ptr fs:[00000030h]4_2_01164144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6154 mov eax, dword ptr fs:[00000030h]4_2_010D6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6154 mov eax, dword ptr fs:[00000030h]4_2_010D6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CC156 mov eax, dword ptr fs:[00000030h]4_2_010CC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115019F mov eax, dword ptr fs:[00000030h]4_2_0115019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115019F mov eax, dword ptr fs:[00000030h]4_2_0115019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115019F mov eax, dword ptr fs:[00000030h]4_2_0115019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115019F mov eax, dword ptr fs:[00000030h]4_2_0115019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0118C188 mov eax, dword ptr fs:[00000030h]4_2_0118C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0118C188 mov eax, dword ptr fs:[00000030h]4_2_0118C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01110185 mov eax, dword ptr fs:[00000030h]4_2_01110185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01174180 mov eax, dword ptr fs:[00000030h]4_2_01174180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01174180 mov eax, dword ptr fs:[00000030h]4_2_01174180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CA197 mov eax, dword ptr fs:[00000030h]4_2_010CA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CA197 mov eax, dword ptr fs:[00000030h]4_2_010CA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CA197 mov eax, dword ptr fs:[00000030h]4_2_010CA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E1D0 mov eax, dword ptr fs:[00000030h]4_2_0114E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E1D0 mov eax, dword ptr fs:[00000030h]4_2_0114E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0114E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E1D0 mov eax, dword ptr fs:[00000030h]4_2_0114E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E1D0 mov eax, dword ptr fs:[00000030h]4_2_0114E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011961C3 mov eax, dword ptr fs:[00000030h]4_2_011961C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011961C3 mov eax, dword ptr fs:[00000030h]4_2_011961C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011001F8 mov eax, dword ptr fs:[00000030h]4_2_011001F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A61E5 mov eax, dword ptr fs:[00000030h]4_2_011A61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01154000 mov ecx, dword ptr fs:[00000030h]4_2_01154000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01172000 mov eax, dword ptr fs:[00000030h]4_2_01172000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01172000 mov eax, dword ptr fs:[00000030h]4_2_01172000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01172000 mov eax, dword ptr fs:[00000030h]4_2_01172000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01172000 mov eax, dword ptr fs:[00000030h]4_2_01172000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01172000 mov eax, dword ptr fs:[00000030h]4_2_01172000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01172000 mov eax, dword ptr fs:[00000030h]4_2_01172000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01172000 mov eax, dword ptr fs:[00000030h]4_2_01172000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01172000 mov eax, dword ptr fs:[00000030h]4_2_01172000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EE016 mov eax, dword ptr fs:[00000030h]4_2_010EE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EE016 mov eax, dword ptr fs:[00000030h]4_2_010EE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EE016 mov eax, dword ptr fs:[00000030h]4_2_010EE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EE016 mov eax, dword ptr fs:[00000030h]4_2_010EE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01166030 mov eax, dword ptr fs:[00000030h]4_2_01166030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CA020 mov eax, dword ptr fs:[00000030h]4_2_010CA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CC020 mov eax, dword ptr fs:[00000030h]4_2_010CC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01156050 mov eax, dword ptr fs:[00000030h]4_2_01156050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D2050 mov eax, dword ptr fs:[00000030h]4_2_010D2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FC073 mov eax, dword ptr fs:[00000030h]4_2_010FC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D208A mov eax, dword ptr fs:[00000030h]4_2_010D208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011960B8 mov eax, dword ptr fs:[00000030h]4_2_011960B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011960B8 mov ecx, dword ptr fs:[00000030h]4_2_011960B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011680A8 mov eax, dword ptr fs:[00000030h]4_2_011680A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011520DE mov eax, dword ptr fs:[00000030h]4_2_011520DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011120F0 mov ecx, dword ptr fs:[00000030h]4_2_011120F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D80E9 mov eax, dword ptr fs:[00000030h]4_2_010D80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CA0E3 mov ecx, dword ptr fs:[00000030h]4_2_010CA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011560E0 mov eax, dword ptr fs:[00000030h]4_2_011560E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CC0F0 mov eax, dword ptr fs:[00000030h]4_2_010CC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A30B mov eax, dword ptr fs:[00000030h]4_2_0110A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A30B mov eax, dword ptr fs:[00000030h]4_2_0110A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A30B mov eax, dword ptr fs:[00000030h]4_2_0110A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CC310 mov ecx, dword ptr fs:[00000030h]4_2_010CC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F0310 mov ecx, dword ptr fs:[00000030h]4_2_010F0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01178350 mov ecx, dword ptr fs:[00000030h]4_2_01178350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115035C mov eax, dword ptr fs:[00000030h]4_2_0115035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115035C mov eax, dword ptr fs:[00000030h]4_2_0115035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115035C mov eax, dword ptr fs:[00000030h]4_2_0115035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115035C mov ecx, dword ptr fs:[00000030h]4_2_0115035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115035C mov eax, dword ptr fs:[00000030h]4_2_0115035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115035C mov eax, dword ptr fs:[00000030h]4_2_0115035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119A352 mov eax, dword ptr fs:[00000030h]4_2_0119A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01152349 mov eax, dword ptr fs:[00000030h]4_2_01152349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117437C mov eax, dword ptr fs:[00000030h]4_2_0117437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F438F mov eax, dword ptr fs:[00000030h]4_2_010F438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F438F mov eax, dword ptr fs:[00000030h]4_2_010F438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CE388 mov eax, dword ptr fs:[00000030h]4_2_010CE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CE388 mov eax, dword ptr fs:[00000030h]4_2_010CE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CE388 mov eax, dword ptr fs:[00000030h]4_2_010CE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C8397 mov eax, dword ptr fs:[00000030h]4_2_010C8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C8397 mov eax, dword ptr fs:[00000030h]4_2_010C8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C8397 mov eax, dword ptr fs:[00000030h]4_2_010C8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011743D4 mov eax, dword ptr fs:[00000030h]4_2_011743D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011743D4 mov eax, dword ptr fs:[00000030h]4_2_011743D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA3C0 mov eax, dword ptr fs:[00000030h]4_2_010DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA3C0 mov eax, dword ptr fs:[00000030h]4_2_010DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA3C0 mov eax, dword ptr fs:[00000030h]4_2_010DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA3C0 mov eax, dword ptr fs:[00000030h]4_2_010DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA3C0 mov eax, dword ptr fs:[00000030h]4_2_010DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA3C0 mov eax, dword ptr fs:[00000030h]4_2_010DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D83C0 mov eax, dword ptr fs:[00000030h]4_2_010D83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D83C0 mov eax, dword ptr fs:[00000030h]4_2_010D83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D83C0 mov eax, dword ptr fs:[00000030h]4_2_010D83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D83C0 mov eax, dword ptr fs:[00000030h]4_2_010D83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0118C3CD mov eax, dword ptr fs:[00000030h]4_2_0118C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011563C0 mov eax, dword ptr fs:[00000030h]4_2_011563C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E03E9 mov eax, dword ptr fs:[00000030h]4_2_010E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E03E9 mov eax, dword ptr fs:[00000030h]4_2_010E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E03E9 mov eax, dword ptr fs:[00000030h]4_2_010E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E03E9 mov eax, dword ptr fs:[00000030h]4_2_010E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E03E9 mov eax, dword ptr fs:[00000030h]4_2_010E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E03E9 mov eax, dword ptr fs:[00000030h]4_2_010E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E03E9 mov eax, dword ptr fs:[00000030h]4_2_010E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E03E9 mov eax, dword ptr fs:[00000030h]4_2_010E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011063FF mov eax, dword ptr fs:[00000030h]4_2_011063FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EE3F0 mov eax, dword ptr fs:[00000030h]4_2_010EE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EE3F0 mov eax, dword ptr fs:[00000030h]4_2_010EE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EE3F0 mov eax, dword ptr fs:[00000030h]4_2_010EE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C823B mov eax, dword ptr fs:[00000030h]4_2_010C823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6259 mov eax, dword ptr fs:[00000030h]4_2_010D6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01158243 mov eax, dword ptr fs:[00000030h]4_2_01158243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01158243 mov ecx, dword ptr fs:[00000030h]4_2_01158243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CA250 mov eax, dword ptr fs:[00000030h]4_2_010CA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C826B mov eax, dword ptr fs:[00000030h]4_2_010C826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01180274 mov eax, dword ptr fs:[00000030h]4_2_01180274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D4260 mov eax, dword ptr fs:[00000030h]4_2_010D4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D4260 mov eax, dword ptr fs:[00000030h]4_2_010D4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D4260 mov eax, dword ptr fs:[00000030h]4_2_010D4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E284 mov eax, dword ptr fs:[00000030h]4_2_0110E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E284 mov eax, dword ptr fs:[00000030h]4_2_0110E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01150283 mov eax, dword ptr fs:[00000030h]4_2_01150283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01150283 mov eax, dword ptr fs:[00000030h]4_2_01150283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01150283 mov eax, dword ptr fs:[00000030h]4_2_01150283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E02A0 mov eax, dword ptr fs:[00000030h]4_2_010E02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E02A0 mov eax, dword ptr fs:[00000030h]4_2_010E02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011662A0 mov eax, dword ptr fs:[00000030h]4_2_011662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011662A0 mov ecx, dword ptr fs:[00000030h]4_2_011662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011662A0 mov eax, dword ptr fs:[00000030h]4_2_011662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011662A0 mov eax, dword ptr fs:[00000030h]4_2_011662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011662A0 mov eax, dword ptr fs:[00000030h]4_2_011662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011662A0 mov eax, dword ptr fs:[00000030h]4_2_011662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E02E1 mov eax, dword ptr fs:[00000030h]4_2_010E02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E02E1 mov eax, dword ptr fs:[00000030h]4_2_010E02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E02E1 mov eax, dword ptr fs:[00000030h]4_2_010E02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01166500 mov eax, dword ptr fs:[00000030h]4_2_01166500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A4500 mov eax, dword ptr fs:[00000030h]4_2_011A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A4500 mov eax, dword ptr fs:[00000030h]4_2_011A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A4500 mov eax, dword ptr fs:[00000030h]4_2_011A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A4500 mov eax, dword ptr fs:[00000030h]4_2_011A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A4500 mov eax, dword ptr fs:[00000030h]4_2_011A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A4500 mov eax, dword ptr fs:[00000030h]4_2_011A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A4500 mov eax, dword ptr fs:[00000030h]4_2_011A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE53E mov eax, dword ptr fs:[00000030h]4_2_010FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE53E mov eax, dword ptr fs:[00000030h]4_2_010FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE53E mov eax, dword ptr fs:[00000030h]4_2_010FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE53E mov eax, dword ptr fs:[00000030h]4_2_010FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE53E mov eax, dword ptr fs:[00000030h]4_2_010FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0535 mov eax, dword ptr fs:[00000030h]4_2_010E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0535 mov eax, dword ptr fs:[00000030h]4_2_010E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0535 mov eax, dword ptr fs:[00000030h]4_2_010E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0535 mov eax, dword ptr fs:[00000030h]4_2_010E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0535 mov eax, dword ptr fs:[00000030h]4_2_010E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0535 mov eax, dword ptr fs:[00000030h]4_2_010E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8550 mov eax, dword ptr fs:[00000030h]4_2_010D8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8550 mov eax, dword ptr fs:[00000030h]4_2_010D8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110656A mov eax, dword ptr fs:[00000030h]4_2_0110656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110656A mov eax, dword ptr fs:[00000030h]4_2_0110656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110656A mov eax, dword ptr fs:[00000030h]4_2_0110656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E59C mov eax, dword ptr fs:[00000030h]4_2_0110E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D2582 mov eax, dword ptr fs:[00000030h]4_2_010D2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D2582 mov ecx, dword ptr fs:[00000030h]4_2_010D2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01104588 mov eax, dword ptr fs:[00000030h]4_2_01104588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011505A7 mov eax, dword ptr fs:[00000030h]4_2_011505A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011505A7 mov eax, dword ptr fs:[00000030h]4_2_011505A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011505A7 mov eax, dword ptr fs:[00000030h]4_2_011505A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F45B1 mov eax, dword ptr fs:[00000030h]4_2_010F45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F45B1 mov eax, dword ptr fs:[00000030h]4_2_010F45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A5D0 mov eax, dword ptr fs:[00000030h]4_2_0110A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A5D0 mov eax, dword ptr fs:[00000030h]4_2_0110A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D65D0 mov eax, dword ptr fs:[00000030h]4_2_010D65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E5CF mov eax, dword ptr fs:[00000030h]4_2_0110E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E5CF mov eax, dword ptr fs:[00000030h]4_2_0110E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE5E7 mov eax, dword ptr fs:[00000030h]4_2_010FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE5E7 mov eax, dword ptr fs:[00000030h]4_2_010FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE5E7 mov eax, dword ptr fs:[00000030h]4_2_010FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE5E7 mov eax, dword ptr fs:[00000030h]4_2_010FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE5E7 mov eax, dword ptr fs:[00000030h]4_2_010FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE5E7 mov eax, dword ptr fs:[00000030h]4_2_010FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE5E7 mov eax, dword ptr fs:[00000030h]4_2_010FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE5E7 mov eax, dword ptr fs:[00000030h]4_2_010FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D25E0 mov eax, dword ptr fs:[00000030h]4_2_010D25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110C5ED mov eax, dword ptr fs:[00000030h]4_2_0110C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110C5ED mov eax, dword ptr fs:[00000030h]4_2_0110C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01108402 mov eax, dword ptr fs:[00000030h]4_2_01108402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01108402 mov eax, dword ptr fs:[00000030h]4_2_01108402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01108402 mov eax, dword ptr fs:[00000030h]4_2_01108402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A430 mov eax, dword ptr fs:[00000030h]4_2_0110A430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CC427 mov eax, dword ptr fs:[00000030h]4_2_010CC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CE420 mov eax, dword ptr fs:[00000030h]4_2_010CE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CE420 mov eax, dword ptr fs:[00000030h]4_2_010CE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CE420 mov eax, dword ptr fs:[00000030h]4_2_010CE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01156420 mov eax, dword ptr fs:[00000030h]4_2_01156420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01156420 mov eax, dword ptr fs:[00000030h]4_2_01156420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01156420 mov eax, dword ptr fs:[00000030h]4_2_01156420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01156420 mov eax, dword ptr fs:[00000030h]4_2_01156420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01156420 mov eax, dword ptr fs:[00000030h]4_2_01156420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01156420 mov eax, dword ptr fs:[00000030h]4_2_01156420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01156420 mov eax, dword ptr fs:[00000030h]4_2_01156420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C645D mov eax, dword ptr fs:[00000030h]4_2_010C645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E443 mov eax, dword ptr fs:[00000030h]4_2_0110E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E443 mov eax, dword ptr fs:[00000030h]4_2_0110E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E443 mov eax, dword ptr fs:[00000030h]4_2_0110E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E443 mov eax, dword ptr fs:[00000030h]4_2_0110E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E443 mov eax, dword ptr fs:[00000030h]4_2_0110E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E443 mov eax, dword ptr fs:[00000030h]4_2_0110E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E443 mov eax, dword ptr fs:[00000030h]4_2_0110E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110E443 mov eax, dword ptr fs:[00000030h]4_2_0110E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F245A mov eax, dword ptr fs:[00000030h]4_2_010F245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115C460 mov ecx, dword ptr fs:[00000030h]4_2_0115C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FA470 mov eax, dword ptr fs:[00000030h]4_2_010FA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FA470 mov eax, dword ptr fs:[00000030h]4_2_010FA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FA470 mov eax, dword ptr fs:[00000030h]4_2_010FA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011044B0 mov ecx, dword ptr fs:[00000030h]4_2_011044B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115A4B0 mov eax, dword ptr fs:[00000030h]4_2_0115A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D64AB mov eax, dword ptr fs:[00000030h]4_2_010D64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D04E5 mov ecx, dword ptr fs:[00000030h]4_2_010D04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01100710 mov eax, dword ptr fs:[00000030h]4_2_01100710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110C700 mov eax, dword ptr fs:[00000030h]4_2_0110C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0710 mov eax, dword ptr fs:[00000030h]4_2_010D0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114C730 mov eax, dword ptr fs:[00000030h]4_2_0114C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110273C mov eax, dword ptr fs:[00000030h]4_2_0110273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110273C mov ecx, dword ptr fs:[00000030h]4_2_0110273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110273C mov eax, dword ptr fs:[00000030h]4_2_0110273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110C720 mov eax, dword ptr fs:[00000030h]4_2_0110C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110C720 mov eax, dword ptr fs:[00000030h]4_2_0110C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01154755 mov eax, dword ptr fs:[00000030h]4_2_01154755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112750 mov eax, dword ptr fs:[00000030h]4_2_01112750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112750 mov eax, dword ptr fs:[00000030h]4_2_01112750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115E75D mov eax, dword ptr fs:[00000030h]4_2_0115E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0750 mov eax, dword ptr fs:[00000030h]4_2_010D0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110674D mov esi, dword ptr fs:[00000030h]4_2_0110674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110674D mov eax, dword ptr fs:[00000030h]4_2_0110674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110674D mov eax, dword ptr fs:[00000030h]4_2_0110674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8770 mov eax, dword ptr fs:[00000030h]4_2_010D8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0770 mov eax, dword ptr fs:[00000030h]4_2_010E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117678E mov eax, dword ptr fs:[00000030h]4_2_0117678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D07AF mov eax, dword ptr fs:[00000030h]4_2_010D07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DC7C0 mov eax, dword ptr fs:[00000030h]4_2_010DC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011507C3 mov eax, dword ptr fs:[00000030h]4_2_011507C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F27ED mov eax, dword ptr fs:[00000030h]4_2_010F27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F27ED mov eax, dword ptr fs:[00000030h]4_2_010F27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F27ED mov eax, dword ptr fs:[00000030h]4_2_010F27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115E7E1 mov eax, dword ptr fs:[00000030h]4_2_0115E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D47FB mov eax, dword ptr fs:[00000030h]4_2_010D47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D47FB mov eax, dword ptr fs:[00000030h]4_2_010D47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E260B mov eax, dword ptr fs:[00000030h]4_2_010E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E260B mov eax, dword ptr fs:[00000030h]4_2_010E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E260B mov eax, dword ptr fs:[00000030h]4_2_010E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E260B mov eax, dword ptr fs:[00000030h]4_2_010E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E260B mov eax, dword ptr fs:[00000030h]4_2_010E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E260B mov eax, dword ptr fs:[00000030h]4_2_010E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E260B mov eax, dword ptr fs:[00000030h]4_2_010E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01112619 mov eax, dword ptr fs:[00000030h]4_2_01112619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E609 mov eax, dword ptr fs:[00000030h]4_2_0114E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D262C mov eax, dword ptr fs:[00000030h]4_2_010D262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EE627 mov eax, dword ptr fs:[00000030h]4_2_010EE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01106620 mov eax, dword ptr fs:[00000030h]4_2_01106620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01108620 mov eax, dword ptr fs:[00000030h]4_2_01108620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EC640 mov eax, dword ptr fs:[00000030h]4_2_010EC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01102674 mov eax, dword ptr fs:[00000030h]4_2_01102674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A660 mov eax, dword ptr fs:[00000030h]4_2_0110A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A660 mov eax, dword ptr fs:[00000030h]4_2_0110A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119866E mov eax, dword ptr fs:[00000030h]4_2_0119866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119866E mov eax, dword ptr fs:[00000030h]4_2_0119866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D4690 mov eax, dword ptr fs:[00000030h]4_2_010D4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D4690 mov eax, dword ptr fs:[00000030h]4_2_010D4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011066B0 mov eax, dword ptr fs:[00000030h]4_2_011066B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110C6A6 mov eax, dword ptr fs:[00000030h]4_2_0110C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0110A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A6C7 mov eax, dword ptr fs:[00000030h]4_2_0110A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011506F1 mov eax, dword ptr fs:[00000030h]4_2_011506F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011506F1 mov eax, dword ptr fs:[00000030h]4_2_011506F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E6F2 mov eax, dword ptr fs:[00000030h]4_2_0114E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E6F2 mov eax, dword ptr fs:[00000030h]4_2_0114E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E6F2 mov eax, dword ptr fs:[00000030h]4_2_0114E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E6F2 mov eax, dword ptr fs:[00000030h]4_2_0114E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115C912 mov eax, dword ptr fs:[00000030h]4_2_0115C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C8918 mov eax, dword ptr fs:[00000030h]4_2_010C8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C8918 mov eax, dword ptr fs:[00000030h]4_2_010C8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E908 mov eax, dword ptr fs:[00000030h]4_2_0114E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114E908 mov eax, dword ptr fs:[00000030h]4_2_0114E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0116892B mov eax, dword ptr fs:[00000030h]4_2_0116892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115892A mov eax, dword ptr fs:[00000030h]4_2_0115892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01150946 mov eax, dword ptr fs:[00000030h]4_2_01150946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115C97C mov eax, dword ptr fs:[00000030h]4_2_0115C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F6962 mov eax, dword ptr fs:[00000030h]4_2_010F6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F6962 mov eax, dword ptr fs:[00000030h]4_2_010F6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F6962 mov eax, dword ptr fs:[00000030h]4_2_010F6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01174978 mov eax, dword ptr fs:[00000030h]4_2_01174978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01174978 mov eax, dword ptr fs:[00000030h]4_2_01174978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0111096E mov eax, dword ptr fs:[00000030h]4_2_0111096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0111096E mov edx, dword ptr fs:[00000030h]4_2_0111096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0111096E mov eax, dword ptr fs:[00000030h]4_2_0111096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D09AD mov eax, dword ptr fs:[00000030h]4_2_010D09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D09AD mov eax, dword ptr fs:[00000030h]4_2_010D09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011589B3 mov esi, dword ptr fs:[00000030h]4_2_011589B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011589B3 mov eax, dword ptr fs:[00000030h]4_2_011589B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011589B3 mov eax, dword ptr fs:[00000030h]4_2_011589B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E29A0 mov eax, dword ptr fs:[00000030h]4_2_010E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011049D0 mov eax, dword ptr fs:[00000030h]4_2_011049D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119A9D3 mov eax, dword ptr fs:[00000030h]4_2_0119A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011669C0 mov eax, dword ptr fs:[00000030h]4_2_011669C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA9D0 mov eax, dword ptr fs:[00000030h]4_2_010DA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA9D0 mov eax, dword ptr fs:[00000030h]4_2_010DA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA9D0 mov eax, dword ptr fs:[00000030h]4_2_010DA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA9D0 mov eax, dword ptr fs:[00000030h]4_2_010DA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA9D0 mov eax, dword ptr fs:[00000030h]4_2_010DA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DA9D0 mov eax, dword ptr fs:[00000030h]4_2_010DA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011029F9 mov eax, dword ptr fs:[00000030h]4_2_011029F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011029F9 mov eax, dword ptr fs:[00000030h]4_2_011029F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115E9E0 mov eax, dword ptr fs:[00000030h]4_2_0115E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115C810 mov eax, dword ptr fs:[00000030h]4_2_0115C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110A830 mov eax, dword ptr fs:[00000030h]4_2_0110A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117483A mov eax, dword ptr fs:[00000030h]4_2_0117483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117483A mov eax, dword ptr fs:[00000030h]4_2_0117483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F2835 mov eax, dword ptr fs:[00000030h]4_2_010F2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F2835 mov eax, dword ptr fs:[00000030h]4_2_010F2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F2835 mov eax, dword ptr fs:[00000030h]4_2_010F2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F2835 mov ecx, dword ptr fs:[00000030h]4_2_010F2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F2835 mov eax, dword ptr fs:[00000030h]4_2_010F2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F2835 mov eax, dword ptr fs:[00000030h]4_2_010F2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01100854 mov eax, dword ptr fs:[00000030h]4_2_01100854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E2840 mov ecx, dword ptr fs:[00000030h]4_2_010E2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D4859 mov eax, dword ptr fs:[00000030h]4_2_010D4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D4859 mov eax, dword ptr fs:[00000030h]4_2_010D4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01166870 mov eax, dword ptr fs:[00000030h]4_2_01166870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01166870 mov eax, dword ptr fs:[00000030h]4_2_01166870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115E872 mov eax, dword ptr fs:[00000030h]4_2_0115E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115E872 mov eax, dword ptr fs:[00000030h]4_2_0115E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115C89D mov eax, dword ptr fs:[00000030h]4_2_0115C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0887 mov eax, dword ptr fs:[00000030h]4_2_010D0887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FE8C0 mov eax, dword ptr fs:[00000030h]4_2_010FE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110C8F9 mov eax, dword ptr fs:[00000030h]4_2_0110C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110C8F9 mov eax, dword ptr fs:[00000030h]4_2_0110C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119A8E4 mov eax, dword ptr fs:[00000030h]4_2_0119A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114EB1D mov eax, dword ptr fs:[00000030h]4_2_0114EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114EB1D mov eax, dword ptr fs:[00000030h]4_2_0114EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114EB1D mov eax, dword ptr fs:[00000030h]4_2_0114EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114EB1D mov eax, dword ptr fs:[00000030h]4_2_0114EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114EB1D mov eax, dword ptr fs:[00000030h]4_2_0114EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114EB1D mov eax, dword ptr fs:[00000030h]4_2_0114EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114EB1D mov eax, dword ptr fs:[00000030h]4_2_0114EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114EB1D mov eax, dword ptr fs:[00000030h]4_2_0114EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114EB1D mov eax, dword ptr fs:[00000030h]4_2_0114EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FEB20 mov eax, dword ptr fs:[00000030h]4_2_010FEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FEB20 mov eax, dword ptr fs:[00000030h]4_2_010FEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01198B28 mov eax, dword ptr fs:[00000030h]4_2_01198B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01198B28 mov eax, dword ptr fs:[00000030h]4_2_01198B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01178B42 mov eax, dword ptr fs:[00000030h]4_2_01178B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01166B40 mov eax, dword ptr fs:[00000030h]4_2_01166B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01166B40 mov eax, dword ptr fs:[00000030h]4_2_01166B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0119AB40 mov eax, dword ptr fs:[00000030h]4_2_0119AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CCB7E mov eax, dword ptr fs:[00000030h]4_2_010CCB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0BBE mov eax, dword ptr fs:[00000030h]4_2_010E0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0BBE mov eax, dword ptr fs:[00000030h]4_2_010E0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0BCD mov eax, dword ptr fs:[00000030h]4_2_010D0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0BCD mov eax, dword ptr fs:[00000030h]4_2_010D0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0BCD mov eax, dword ptr fs:[00000030h]4_2_010D0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F0BCB mov eax, dword ptr fs:[00000030h]4_2_010F0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F0BCB mov eax, dword ptr fs:[00000030h]4_2_010F0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F0BCB mov eax, dword ptr fs:[00000030h]4_2_010F0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0117EBD0 mov eax, dword ptr fs:[00000030h]4_2_0117EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115CBF0 mov eax, dword ptr fs:[00000030h]4_2_0115CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FEBFC mov eax, dword ptr fs:[00000030h]4_2_010FEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8BF0 mov eax, dword ptr fs:[00000030h]4_2_010D8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8BF0 mov eax, dword ptr fs:[00000030h]4_2_010D8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8BF0 mov eax, dword ptr fs:[00000030h]4_2_010D8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0115CA11 mov eax, dword ptr fs:[00000030h]4_2_0115CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FEA2E mov eax, dword ptr fs:[00000030h]4_2_010FEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110CA38 mov eax, dword ptr fs:[00000030h]4_2_0110CA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110CA24 mov eax, dword ptr fs:[00000030h]4_2_0110CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F4A35 mov eax, dword ptr fs:[00000030h]4_2_010F4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F4A35 mov eax, dword ptr fs:[00000030h]4_2_010F4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0A5B mov eax, dword ptr fs:[00000030h]4_2_010E0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010E0A5B mov eax, dword ptr fs:[00000030h]4_2_010E0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6A50 mov eax, dword ptr fs:[00000030h]4_2_010D6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6A50 mov eax, dword ptr fs:[00000030h]4_2_010D6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6A50 mov eax, dword ptr fs:[00000030h]4_2_010D6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6A50 mov eax, dword ptr fs:[00000030h]4_2_010D6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6A50 mov eax, dword ptr fs:[00000030h]4_2_010D6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6A50 mov eax, dword ptr fs:[00000030h]4_2_010D6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D6A50 mov eax, dword ptr fs:[00000030h]4_2_010D6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114CA72 mov eax, dword ptr fs:[00000030h]4_2_0114CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0114CA72 mov eax, dword ptr fs:[00000030h]4_2_0114CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110CA6F mov eax, dword ptr fs:[00000030h]4_2_0110CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110CA6F mov eax, dword ptr fs:[00000030h]4_2_0110CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110CA6F mov eax, dword ptr fs:[00000030h]4_2_0110CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01108A90 mov edx, dword ptr fs:[00000030h]4_2_01108A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA80 mov eax, dword ptr fs:[00000030h]4_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA80 mov eax, dword ptr fs:[00000030h]4_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA80 mov eax, dword ptr fs:[00000030h]4_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA80 mov eax, dword ptr fs:[00000030h]4_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA80 mov eax, dword ptr fs:[00000030h]4_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA80 mov eax, dword ptr fs:[00000030h]4_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA80 mov eax, dword ptr fs:[00000030h]4_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA80 mov eax, dword ptr fs:[00000030h]4_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DEA80 mov eax, dword ptr fs:[00000030h]4_2_010DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A4A80 mov eax, dword ptr fs:[00000030h]4_2_011A4A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8AA0 mov eax, dword ptr fs:[00000030h]4_2_010D8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8AA0 mov eax, dword ptr fs:[00000030h]4_2_010D8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01126AA4 mov eax, dword ptr fs:[00000030h]4_2_01126AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01104AD0 mov eax, dword ptr fs:[00000030h]4_2_01104AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01104AD0 mov eax, dword ptr fs:[00000030h]4_2_01104AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0AD0 mov eax, dword ptr fs:[00000030h]4_2_010D0AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01126ACC mov eax, dword ptr fs:[00000030h]4_2_01126ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01126ACC mov eax, dword ptr fs:[00000030h]4_2_01126ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01126ACC mov eax, dword ptr fs:[00000030h]4_2_01126ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110AAEE mov eax, dword ptr fs:[00000030h]4_2_0110AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110AAEE mov eax, dword ptr fs:[00000030h]4_2_0110AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01188D10 mov eax, dword ptr fs:[00000030h]4_2_01188D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01188D10 mov eax, dword ptr fs:[00000030h]4_2_01188D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01104D1D mov eax, dword ptr fs:[00000030h]4_2_01104D1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EAD00 mov eax, dword ptr fs:[00000030h]4_2_010EAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EAD00 mov eax, dword ptr fs:[00000030h]4_2_010EAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010EAD00 mov eax, dword ptr fs:[00000030h]4_2_010EAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C6D10 mov eax, dword ptr fs:[00000030h]4_2_010C6D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C6D10 mov eax, dword ptr fs:[00000030h]4_2_010C6D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010C6D10 mov eax, dword ptr fs:[00000030h]4_2_010C6D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01158D20 mov eax, dword ptr fs:[00000030h]4_2_01158D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0D59 mov eax, dword ptr fs:[00000030h]4_2_010D0D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0D59 mov eax, dword ptr fs:[00000030h]4_2_010D0D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D0D59 mov eax, dword ptr fs:[00000030h]4_2_010D0D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8D59 mov eax, dword ptr fs:[00000030h]4_2_010D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8D59 mov eax, dword ptr fs:[00000030h]4_2_010D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8D59 mov eax, dword ptr fs:[00000030h]4_2_010D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8D59 mov eax, dword ptr fs:[00000030h]4_2_010D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010D8D59 mov eax, dword ptr fs:[00000030h]4_2_010D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01168D6B mov eax, dword ptr fs:[00000030h]4_2_01168D6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110CDB1 mov ecx, dword ptr fs:[00000030h]4_2_0110CDB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110CDB1 mov eax, dword ptr fs:[00000030h]4_2_0110CDB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0110CDB1 mov eax, dword ptr fs:[00000030h]4_2_0110CDB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F8DBF mov eax, dword ptr fs:[00000030h]4_2_010F8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010F8DBF mov eax, dword ptr fs:[00000030h]4_2_010F8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01106DA0 mov eax, dword ptr fs:[00000030h]4_2_01106DA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01198DAE mov eax, dword ptr fs:[00000030h]4_2_01198DAE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01198DAE mov eax, dword ptr fs:[00000030h]4_2_01198DAE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_011A4DAD mov eax, dword ptr fs:[00000030h]4_2_011A4DAD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01154DD7 mov eax, dword ptr fs:[00000030h]4_2_01154DD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01154DD7 mov eax, dword ptr fs:[00000030h]4_2_01154DD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FEDD3 mov eax, dword ptr fs:[00000030h]4_2_010FEDD3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010FEDD3 mov eax, dword ptr fs:[00000030h]4_2_010FEDD3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CCDEA mov eax, dword ptr fs:[00000030h]4_2_010CCDEA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010CCDEA mov eax, dword ptr fs:[00000030h]4_2_010CCDEA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01170DF0 mov eax, dword ptr fs:[00000030h]4_2_01170DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01170DF0 mov eax, dword ptr fs:[00000030h]4_2_01170DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010DADE0 mov eax, dword ptr fs:[00000030h]4_2_010DADE0
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe"
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtQueryVolumeInformationFile: Direct from: 0x776D2F2CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtQuerySystemInformation: Direct from: 0x776D48CCJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtAllocateVirtualMemory: Direct from: 0x776D48ECJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtOpenSection: Direct from: 0x776D2E0CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtDeviceIoControlFile: Direct from: 0x776D2AECJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtAllocateVirtualMemory: Direct from: 0x776D2BECJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtQueryInformationProcess: Direct from: 0x776D2C26Jump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtResumeThread: Direct from: 0x776D2FBCJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtWriteVirtualMemory: Direct from: 0x776D490CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtCreateUserProcess: Direct from: 0x776D371CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtClose: Direct from: 0x776D2B6C
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtAllocateVirtualMemory: Direct from: 0x776D3C9CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtSetInformationThread: Direct from: 0x776C63F9Jump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtQueryAttributesFile: Direct from: 0x776D2E6CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtSetInformationThread: Direct from: 0x776D2B4CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtReadVirtualMemory: Direct from: 0x776D2E8CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtCreateKey: Direct from: 0x776D2C6CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtResumeThread: Direct from: 0x776D36ACJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtMapViewOfSection: Direct from: 0x776D2D1CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtWriteVirtualMemory: Direct from: 0x776D2E3CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtUnmapViewOfSection: Direct from: 0x776D2D3CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtCreateMutant: Direct from: 0x776D35CCJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtAllocateVirtualMemory: Direct from: 0x776D2BFCJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtDelayExecution: Direct from: 0x776D2DDCJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtQuerySystemInformation: Direct from: 0x776D2DFCJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtReadFile: Direct from: 0x776D2ADCJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtTerminateThread: Direct from: 0x776D2FCCJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtQueryInformationToken: Direct from: 0x776D2CACJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtCreateFile: Direct from: 0x776D2FECJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtOpenFile: Direct from: 0x776D2DCCJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtOpenKeyEx: Direct from: 0x776D2B9CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtNotifyChangeKey: Direct from: 0x776D3C2CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtSetInformationProcess: Direct from: 0x776D2C5CJump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeNtProtectVirtualMemory: Direct from: 0x776D2F9CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\PresentationHost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\PresentationHost.exeThread register set: target process: 3700Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\PresentationHost.exeThread APC queued: target process: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 844008Jump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe"Jump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\ZeWGGsKmIuKixNxFZZaTHWCuaQvoeemqsPjxHscsBCGnB\H792vWLf9Fx1Mp7TRJ.exeProcess created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000000.1299318899.0000000001680000.00000002.00000001.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000002.3370644270.0000000001680000.00000002.00000001.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3370333574.0000000001670000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000000.1299318899.0000000001680000.00000002.00000001.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000002.3370644270.0000000001680000.00000002.00000001.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3370333574.0000000001670000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000000.1299318899.0000000001680000.00000002.00000001.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000002.3370644270.0000000001680000.00000002.00000001.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3370333574.0000000001670000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000000.1299318899.0000000001680000.00000002.00000001.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000D.00000002.3370644270.0000000001680000.00000002.00000001.00040000.00000000.sdmp, H792vWLf9Fx1Mp7TRJ.exe, 0000000F.00000002.3370333574.0000000001670000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\URGENT REQUEST FOR QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1373353315.0000000001050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1372904719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3372784799.0000000005400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3370961609.0000000002C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1374655242.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\PresentationHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1373353315.0000000001050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1372904719.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3372784799.0000000005400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3370961609.0000000002C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1374655242.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		131
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		51
                Virtualization/Sandbox Evasion                		Security Account Manager51
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials123
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634099 Sample: URGENT REQUEST FOR QUOTATION.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 46 www.setrala.xyz 2->46 48 www.quantumeditor.xyz 2->48 50 20 other IPs or domains 2->50 60 Suricata IDS alerts for network traffic 2->60 62 Antivirus detection for URL or domain 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 68 8 other signatures 2->68 10 URGENT REQUEST FOR QUOTATION.exe 4 2->10         started        14 svchost.exe 1 2->14         started        signatures3 66 Performs DNS queries to domains with low reputation 48->66 process4 dnsIp5 38 C:\...\URGENT REQUEST FOR QUOTATION.exe.log, ASCII 10->38 dropped 72 Writes to foreign memory regions 10->72 74 Allocates memory in foreign processes 10->74 76 Adds a directory exclusion to Windows Defender 10->76 78 Injects a PE file into a foreign processes 10->78 17 RegSvcs.exe 10->17         started        20 powershell.exe 23 10->20         started        22 RegSvcs.exe 10->22         started        52 127.0.0.1 unknown unknown 14->52 file6 signatures7 process8 signatures9 54 Maps a DLL or memory area into another process 17->54 24 H792vWLf9Fx1Mp7TRJ.exe 17->24 injected 56 Loading BitLocker PowerShell Module 20->56 27 conhost.exe 20->27         started        process10 signatures11 70 Found direct / indirect Syscall (likely to bypass EDR) 24->70 29 PresentationHost.exe 13 24->29         started        process12 signatures13 80 Tries to steal Mail credentials (via file / registry access) 29->80 82 Tries to harvest and steal browser information (history, passwords, etc) 29->82 84 Modifies the context of a thread in another process (thread injection) 29->84 86 3 other signatures 29->86 32 H792vWLf9Fx1Mp7TRJ.exe 29->32 injected 36 firefox.exe 29->36         started        process14 dnsIp15 40 www.thrivay.website 203.161.42.73, 49700, 49701, 49702 VNPT-AS-VNVNPTCorpVN Malaysia 32->40 42 sixfiguredigital.group 77.95.113.182, 49691, 80 PROGRESSIVEGB United Kingdom 32->42 44 8 other IPs or domains 32->44 58 Found direct / indirect Syscall (likely to bypass EDR) 32->58 signatures16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.