Windows Analysis Report
inquiry EBS# 82785.exe

Overview

General Information

Sample name: inquiry EBS# 82785.exe
Analysis ID: 1447917
MD5: f36ac11608bf695e552445fd88200e91
SHA1: 76534119d4fe5ffc5a4961bf1e25f2f203fc1a99
SHA256: 84643c2b61b5ea0b8ac176dde19ba3f51c3c23fde7883b3674317dc33fb6456c
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.duobao698.com/b5mo/ Avira URL Cloud: Label: malware
Source: http://www.duobao698.com/b5mo/?f4=xxLl5tHp-byppxH&MNodJD8p=YF33wiUQP61+bcRucpXfP2bszl+S1jXxxa03lm8i9Cm6yh/X5E/MKQF3SqHNMSDah8acWmTXWKI80zfQn0GR7e3o5MjoaLzb9IV74TF38aXM2/s/Vr42kQEqdr4drO8NCxauOi017rm8 Avira URL Cloud: Label: malware
Source: http://www.pricekaboom.com/88is/?f4=xxLl5tHp-byppxH&MNodJD8p=Et7jFQQESHR6QMcH21WFfBueb87jCDciOXesV2PUTY+phHzqwibAOf6k5ayeI+rSGw4JUshP7eT3Dg0I6eQ+O8WQlCHWQqse33D+WHaqsKhBys2QaUSMPkBSAmePUjZQCr8qbSgJVbhV Avira URL Cloud: Label: malware
Source: http://www.ycwtch.co.uk/kpja/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: inquiry EBS# 82785.exe ReversingLabs: Detection: 68%
Yara detected FormBook
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1435453576.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3695841773.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3714642969.00000000054D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3712098478.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1438597703.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3712203175.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1438447735.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3712340508.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: inquiry EBS# 82785.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: inquiry EBS# 82785.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: inquiry EBS# 82785.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: iexpress.pdbGCTL source: RegSvcs.exe, 00000004.00000002.1435957062.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000002.3708916103.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000003.1360746245.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hbfEEdNoiUG.exe, 0000000F.00000000.1347277326.000000000052E000.00000002.00000001.01000000.0000000D.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3695839640.000000000052E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.1436661246.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000003.1434430531.0000000004D6B000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3712669732.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3712669732.000000000525E000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000003.1438240479.0000000004F17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000004.00000002.1436661246.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, iexpress.exe, 00000010.00000003.1434430531.0000000004D6B000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3712669732.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3712669732.000000000525E000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000003.1438240479.0000000004F17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HSfy.pdb source: inquiry EBS# 82785.exe
Source: Binary string: HSfy.pdbSHA256uT source: inquiry EBS# 82785.exe
Source: Binary string: iexpress.pdb source: RegSvcs.exe, 00000004.00000002.1435957062.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000002.3708916103.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000003.1360746245.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0303BAF0 FindFirstFileW,FindNextFileW,FindClose, 16_2_0303BAF0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 4x nop then mov dword ptr [ebp-000000E8h], 00000000h 16_2_030296A0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 4x nop then xor eax, eax 16_2_030296A0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 4x nop then pop edi 16_2_0303201A
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.31.240.240 185.31.240.240
Source: Joe Sandbox View IP Address: 198.177.123.106 198.177.123.106
Source: Joe Sandbox View IP Address: 107.151.241.58 107.151.241.58
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /88is/?f4=xxLl5tHp-byppxH&MNodJD8p=Et7jFQQESHR6QMcH21WFfBueb87jCDciOXesV2PUTY+phHzqwibAOf6k5ayeI+rSGw4JUshP7eT3Dg0I6eQ+O8WQlCHWQqse33D+WHaqsKhBys2QaUSMPkBSAmePUjZQCr8qbSgJVbhV HTTP/1.1Host: www.pricekaboom.comAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /v0eo/?MNodJD8p=53hfMKMEN3GhcMKa3FD3GzP2+NOMOkRil+RTINeunm9wIq1fivMeg2WaHp19Pt0EnqgBYyGRdzAlBNzF4cJsjA2PPFb1LRhEuRJejr6Fp+RggyN+VxffrmtVRKuIz6NLG42mGA2FBBi+&f4=xxLl5tHp-byppxH HTTP/1.1Host: www.birthingwitht.comAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /bjqr/?f4=xxLl5tHp-byppxH&MNodJD8p=gV3rr7jqPVIv1Mn/lEpKIewKkib7Fcul04Jd32/fmw2k/EH2FaAQks6L8J0asfE6jsJhPUd3WUfcv1S8rbU6nGqSEFtTbFoUTPdBAPE1L3Zw4OEG+thjvk7ioWrFkV00ho6iarHOpTEe HTTP/1.1Host: www.0bi8.funAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /v7f6/?MNodJD8p=XF4qeg9ZZgTAThyVlalCdKNU99LfXS2lLMZLa1YAu2kMLhYluJ+1/4qiQDOp90UUak+QbyH64omdN7gzrQa5FaRBbg95DUa8jSSlfRAmfeyBeU+cpFm8YfZCh5mA/E+0k6dMbGsvvroL&f4=xxLl5tHp-byppxH HTTP/1.1Host: www.galatalosangeles.orgAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /e6fw/?f4=xxLl5tHp-byppxH&MNodJD8p=n5dESxf/cXtX+IWK1PHyu1L8TFflxVgasmaJS2CdKaZYGchug9mh5pyHlytVKDb3Cg5u6YFnb48YkM5fb7pMgDgbFs0i5g+O9MKB2IOkFyIMxqAROkXgP4I/Dc/XYjPAbEAcXqhbTswY HTTP/1.1Host: www.chillingtime.shopAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /z86o/?MNodJD8p=Ojnz0Kg7atrxNq8YCu+svyw5JWMM1LKejTFIWEVqDJTsr8k/Cp/y34hmBl88WC07fa4Gfm/DSv1MHu4JYtU+JFgy+UqwczkQfuHRwTZ5WPzaTNzF4FwHRgOY2DJ/mTb+46Ki7EnPzQiQ&f4=xxLl5tHp-byppxH HTTP/1.1Host: www.drednents.esAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /7skl/?f4=xxLl5tHp-byppxH&MNodJD8p=dTL83zpU0xQ9edv6OGiX5dEIo4WZrMM8fLl2Krrsxam7NAcpt0Es3EGDcNMssM7b8wua4BB6pAKcVugLPNxCMOYttcIT7GyMy0e3JishaTIPS+4u6tMJjGSu/0BLy0AvAJTG8pRcvlin HTTP/1.1Host: www.shopnaya.frAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /ji0p/?MNodJD8p=xXD9CQ3N7xKDLchfMZiKEzPna0191/2yPXYla/3jou9aJjDG40/AHObgd4ksmL/dNcSWCZmrHM/RDWoQ1OVMTJmDIfJC0DRY8vTyfwkh08Xc3obI9sRDXMdHo4KaM9QY8Uf5asICqepP&f4=xxLl5tHp-byppxH HTTP/1.1Host: www.yamlex.ruAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /hjqs/?f4=xxLl5tHp-byppxH&MNodJD8p=5qGwR/efmPt/I6Ynz6AqB74GuZv+m8IAYAQ4rwOKHDcf/eaPG6yHH9N9SqcPE5LhBkrMW/1fhU0AkMcaTSWt5r3v+QyKYKY8hdB1xYhSZ8o8wTivSleoUXQcrXTUVIgWubI9r3mYr34W HTTP/1.1Host: www.touchdres.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /hrz3/?MNodJD8p=fkxp32a3AF5wBSwRh5VZfmiY3/puBKP3MVSkTpkPNWOuHUgNKCFzkVmprYkTYGjHw4naGQMkcT0jQi1gpu8oD2UytFCpxdjGtxbhW8UXfJ17EhPZrFJXKsyUbfGU5GAcfhuZPrs7GjjK&f4=xxLl5tHp-byppxH HTTP/1.1Host: www.omilux.vnAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /b5mo/?f4=xxLl5tHp-byppxH&MNodJD8p=YF33wiUQP61+bcRucpXfP2bszl+S1jXxxa03lm8i9Cm6yh/X5E/MKQF3SqHNMSDah8acWmTXWKI80zfQn0GR7e3o5MjoaLzb9IV74TF38aXM2/s/Vr42kQEqdr4drO8NCxauOi017rm8 HTTP/1.1Host: www.duobao698.comAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /kpja/?MNodJD8p=feUkjxVztt61T+q9W6uYG/UJrG3XpNzeZI0ojRzm1cejAyzeojgXHXhC7SIpJnYpWq4H+DhEOKRao3BiyIuYFkFo5Eoj5TMadhE3pDNzCDi8vXm7xxYuwOkEHvw50i5QKglKDFk0tKB3&f4=xxLl5tHp-byppxH HTTP/1.1Host: www.ycwtch.co.ukAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic HTTP traffic detected: GET /8vpj/?f4=xxLl5tHp-byppxH&MNodJD8p=PND0ETKqlieTTeqinVoOdoMDGkM5Odo4sqg2s5YxFKdh6CPUHw2tTMKdV9M9FPP1W5xV4FYCql8AQrim1T6KQKabV5DPdnWB0A0Xkl8YOGjv4J+ZuCok4XgXnh6EsXJFAwVfNVgHNN7O HTTP/1.1Host: www.geltipleasure.comAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic DNS traffic detected: DNS query: www.pricekaboom.com
Source: global traffic DNS traffic detected: DNS query: www.birthingwitht.com
Source: global traffic DNS traffic detected: DNS query: www.0bi8.fun
Source: global traffic DNS traffic detected: DNS query: www.galatalosangeles.org
Source: global traffic DNS traffic detected: DNS query: www.chillingtime.shop
Source: global traffic DNS traffic detected: DNS query: www.drednents.es
Source: global traffic DNS traffic detected: DNS query: www.shopnaya.fr
Source: global traffic DNS traffic detected: DNS query: www.yamlex.ru
Source: global traffic DNS traffic detected: DNS query: www.touchdres.top
Source: global traffic DNS traffic detected: DNS query: www.omilux.vn
Source: global traffic DNS traffic detected: DNS query: www.duobao698.com
Source: global traffic DNS traffic detected: DNS query: www.ycwtch.co.uk
Source: global traffic DNS traffic detected: DNS query: www.geltipleasure.com
Source: global traffic DNS traffic detected: DNS query: www.hilfe24x7.de
Source: unknown HTTP traffic detected: POST /v0eo/ HTTP/1.1Host: www.birthingwitht.comAccept: */*Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brCache-Control: no-cacheContent-Length: 221Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.birthingwitht.comReferer: http://www.birthingwitht.com/v0eo/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 4d 4e 6f 64 4a 44 38 70 3d 30 31 4a 2f 50 2b 77 48 4b 58 43 6b 52 73 61 2b 39 48 33 7a 63 67 6a 34 2b 2f 76 7a 58 58 73 66 6d 37 5a 32 47 4e 72 53 73 47 70 56 54 6f 46 44 6c 2b 4d 4e 72 6d 43 74 43 59 39 4c 48 74 67 50 36 38 55 74 41 69 6d 64 4a 6b 49 79 59 65 48 5a 72 65 46 6d 30 69 65 49 49 6a 66 4c 55 68 41 72 6c 43 63 61 73 34 50 66 70 38 46 4e 6c 53 42 46 63 45 6e 74 74 56 35 6e 59 2b 69 32 32 6f 30 71 59 71 53 35 4f 6a 62 5a 46 42 2b 77 79 6c 5a 55 46 72 46 56 4a 2b 78 36 43 31 39 32 35 78 6e 38 5a 42 52 53 64 49 59 70 37 56 31 54 5a 51 31 31 61 63 31 4b 38 58 45 2b 7a 32 54 71 41 78 59 56 54 73 51 63 55 6d 68 75 45 39 5a 61 75 62 51 31 6d 77 3d 3d Data Ascii: MNodJD8p=01J/P+wHKXCkRsa+9H3zcgj4+/vzXXsfm7Z2GNrSsGpVToFDl+MNrmCtCY9LHtgP68UtAimdJkIyYeHZreFm0ieIIjfLUhArlCcas4Pfp8FNlSBFcEnttV5nY+i22o0qYqS5OjbZFB+wylZUFrFVJ+x6C1925xn8ZBRSdIYp7V1TZQ11ac1K8XE+z2TqAxYVTsQcUmhuE9ZaubQ1mw==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 27 May 2024 10:26:48 GMTserver: Apache / ZoneOSlast-modified: Mon, 06 Nov 2023 23:06:18 GMTetag: "1d7b-60983e6d29793"accept-ranges: bytescontent-length: 7547connection: closecontent-type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 44 38 32 45 32 33 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 3e 2e 63 75 72 72 65 6e 74 2d 75 72 6c 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 77 72 61 70 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 3c 2f 73 74 79 6c 65 3e 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 34 45 34 45 34 45 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 74 65 78 74 2d 63 6f 6c 6f 72 3a 20 23 39 35 39 35 39 35 3b 0a 0a 20 20 20 20 2d 2d 69 6c 6c 75 73 74 72 61 74 69 6f 6e 2d 6d 61 69 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 62 74 6e 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 2e 32 35 72 65 6d 3b 0a 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 33 43 33 43 43 3b 0a 20 20 20 20 2d 2d 70 72 69 6d 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 46 43 46 43 46 43 3b 0a 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 43 46 43 46 43 3b 0a 20 20 20 20 2d 2d 73 65 63 6f 6e 64 61 72 79 2d 62 74 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 0a 20 20 20 20 2d 2d 6d 61 69 6e 2d 69 63 6f 6e 2d 63 6f 6c 6f 72 3a 20 23 43 33 43 33 43 43 3b 0a 7d 0a 0a 2a 20 7b 0a 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 548Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1716805626.077117947411910893X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Mon, 27 May 2024 10:27:06 GMTX-Served-By: cache-iad-kiad7000099-IADX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,pmHZlB45NPy7b1VBAukQrewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLk1Uxi5aVwrmRyfWZ8T7SgAMbwluI1yUDJty9McxOlfYVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 548Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1716805629.034119434365824675X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Mon, 27 May 2024 10:27:09 GMTX-Served-By: cache-iad-kjyo7100104-IADX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,vmPhUNXuQemvc7fjBI8NWewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLkiHzpTYSDRA7u88Ic3Fde4MbwluI1yUDJty9McxOlfYVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 548Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1716805631.598117452235112260X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Mon, 27 May 2024 10:27:11 GMTX-Served-By: cache-iad-kiad7000077-IADX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,vmPhUNXuQemvc7fjBI8NWewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLucaPCRnkaJkWJZne822xega0sM5c8dDUFHeNaFq0qDuVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:28:34 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeAccess-Control-Allow-Origin: http://www.drednents.esVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OhIcGMmR01kkjvrqYCW4VV7TVvE5WPaaSUblrZpvWTnx75%2BYiU886K695Pq7AymwDUV8l%2Fda3KVOpM%2FVdyLssHfBklwJUy80Z3xD4a3u%2FpCITrFKKl8Fsvm89oDgJ1BmNPX2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a551a22e6ac440-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:28:37 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeAccess-Control-Allow-Origin: http://www.drednents.esVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jnh5c%2FHwAo6dFHY4CvECsCLj72s7NOt1qSK547%2BCdamrtz%2BNQlwJxS%2BbggShqLblaPLYNrcF1lhRA68r3O0q8kzOhzZpMAhpCGPf7uKXmz92Syk0QpiN1Eevb4VgElNPsC4J"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a551b43941c3ff-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:28:40 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeAccess-Control-Allow-Origin: http://www.drednents.esVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i5xB%2B3GYEwb3Ba0Qfk7uJBm778wNTLDE%2FSypKun98MTOgyrHtYxafqkMxEuiifOljZ6bKTka5GU6jYovVif2IOH1VZwrzL1h%2B9H9Kd6bcn2%2BsGYhCYRtUsMaoX1Ha%2FkaVs4j"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a551c3f84e42e1-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:28:42 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FiPQzWNjWjLh6eNZ3w48BGVu6%2FpbXKJzPDnpo6OOGJF2sQwribnxRIaiEZtmte3pi5DpKY1f8QQK4vpCxjHfhQqq6Kg46lT7oytk2yvhhL2tiwYPbVP8QMtB46jHMxazpMuR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a551d3cb8a4204-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:29:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:29:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:29:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:29:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://omilux.vn/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Mon, 27 May 2024 10:29:32 GMTserver: LiteSpeedData Raw: 63 30 39 0d 0a 60 28 02 80 fc a9 99 7e 9d 6d 2a 08 9a 48 a4 03 90 20 75 53 a6 8f 1c c7 b5 da f1 40 c0 23 89 5d 12 40 00 50 a2 22 b3 fe d3 ff a2 4c f5 af a3 4a 4a 57 95 ff 6f ae 7c fe ea 2a 2b 5c 95 2a 5b f3 ff 4c 0e 93 23 84 81 6c 2e bb 07 4c d9 2d 11 58 36 02 80 5d 95 ac 93 7d 8c 59 37 e7 bf 01 82 93 ec 4a 53 8f 12 60 7a b2 ce f5 67 bf 55 15 fa e8 3d b4 43 77 4f d0 e3 26 74 6d 6b 56 53 4a 7c 52 54 be 1e 05 3b d4 1a 2e 95 ae a9 57 01 90 36 f4 de e3 27 68 66 33 8e e0 ba 6f 37 d4 36 21 aa 03 b0 f8 9e c4 2f 27 d1 47 ef c5 77 4f 1e 4f 28 7d c2 ac 1e da 02 e7 a2 f1 8b af 4b b2 a6 68 b8 f3 10 4a 1c b6 79 af d8 38 eb 4c a5 5a 28 48 7e 17 75 67 eb c4 b8 3a 1d 2a 9d 66 19 a6 6b 4a d7 47 2e 1e 8e 17 65 3a d5 f6 43 72 d2 e9 d0 b5 ce 8a c4 36 d6 d6 e4 9b 37 1e fb ea 02 ec 9f cc 05 70 b0 26 74 6d 7c 6d 42 d7 26 7e e1 ca e7 bc 03 54 22 43 25 b8 47 a4 87 a3 d0 57 76 38 a6 64 7e ef e7 f1 18 47 d2 88 be 03 1d 92 7f 5a 79 af 6d 77 02 37 8f 09 3f f9 6d 1b 73 67 8e 26 f8 f9 9c 25 dd e6 da 74 44 40 30 41 b5 e7 b5 36 47 81 8f 26 15 1a 46 53 f1 32 f4 ed ca 80 d7 8c a0 c5 fc 57 a7 5e f0 16 ca 8c c4 7e ba 27 0e 1f 33 a1 b4 66 02 08 67 af af 3c 32 36 a8 4e fd 0a 12 9d 55 68 56 d1 f2 08 3f 19 ee 03 fa e6 bd 2f 50 bd 7e 9f 09 9d b2 75 b2 45 14 35 21 58 5f a4 e9 c5 70 1f 3a 78 e0 10 67 e3 a4 75 e0 7d 0a 7e 24 9f 7a 30 29 a2 f4 c9 4d 02 b5 ad 2f 79 0d 48 9b 80 da 58 1b 41 d1 17 9e f4 b7 21 8a 3e 7c f5 9b ae 91 7f fd fb 6f 1a d9 e6 f5 ef 7f e9 50 50 af ff f8 93 46 af fe 21 1a 24 1a 83 8e af fe 82 2e af fe da 4f 2a d7 a3 a1 8a 8f e8 96 ad 11 bc 05 47 ca 3a a9 17 df 7f 1e d4 24 28 c0 1b 7b fb 07 b8 d4 67 a5 34 61 a8 35 5b 30 64 39 43 e1 62 a1 c4 a9 50 c9 56 be 75 ef 8d 4e 56 c0 ab aa 51 2f 1a e8 38 ad 87 21 03 3f b9 e2 67 a1 2f 7b 08 b8 c0 7e 8a 60 95 12 e3 6a 4c f0 33 e8 27 2a 6e af f8 59 b8 58 c0 05 4e de 2c 31 c1 cf 94 24 c0 c4 b9 56 a6 06 16 e4 f6 29 e4 dd 68 4c 70 ef 5a dc 33 61 82 3d ef e0 b9 c7 c5 ed 1d c1 95 38 98 0a 0e 9e e7 8f 3a 5e c3 17 c7 7b 10 e1 00 a8 c9 04 2b 9d 8c cf 17 17 f8 a4 ac 8e 3a 5b 1a 0c 2e 2b ed 6d 6b b8 f4 69 ce f2 2c cd f2 b4 35 75 52 52 e4 de d6 98 60 d8 26 fe 8e 1a 44 df e2 b8 d8 65 19 c1 f5 8a 1e 04 17 f9 72 4b b0 e0 d6 e9 14 37 cb 18 09 56 9d 28 0d b9 0a de 6d 1c 89 8b 6d ea 1f e0 f8 8d 0a e0 5a 74 7e 3b 1b 7c 85 f7 c0 8b 46 14 7d 78 e8 19 83 85 ae 91 3f f4 19 f0 85 46 b6 f9 6f e5 ae 43 41 25 88 8d 46 90 aa 8c c1 60 12 b1 43 97 bf 2b f1 7e 82 09 96 10 86 51 de 6e 98 e0 5c 5a f7 85 0f 5e 31 23 c1 99 71 e0 73 41 8e 0d b2 b4 26 54 32 70 3b 04 07 ee 6a 08 a1 ea 10 ef e9 e0 2e 5f 1a a5 83 3b ec f4 b7 d0 d9 96 07 b0 3e f9 a9 2f af 95 bb de e9 8b 00 ae 7b e1 83 Data Ascii: c09`(
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://omilux.vn/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Mon, 27 May 2024 10:29:35 GMTserver: LiteSpeedData Raw: 63 30 39 0d 0a 60 28 02 80 fc a9 99 7e 9d 6d 2a 08 9a 48 a4 03 90 20 75 53 a6 8f 1c c7 b5 da f1 40 c0 23 89 5d 12 40 00 50 a2 22 b3 fe d3 ff a2 4c f5 af a3 4a 4a 57 95 ff 6f ae 7c fe ea 2a 2b 5c 95 2a 5b f3 ff 4c 0e 93 23 84 81 6c 2e bb 07 4c d9 2d 11 58 36 02 80 5d 95 ac 93 7d 8c 59 37 e7 bf 01 82 93 ec 4a 53 8f 12 60 7a b2 ce f5 67 bf 55 15 fa e8 3d b4 43 77 4f d0 e3 26 74 6d 6b 56 53 4a 7c 52 54 be 1e 05 3b d4 1a 2e 95 ae a9 57 01 90 36 f4 de e3 27 68 66 33 8e e0 ba 6f 37 d4 36 21 aa 03 b0 f8 9e c4 2f 27 d1 47 ef c5 77 4f 1e 4f 28 7d c2 ac 1e da 02 e7 a2 f1 8b af 4b b2 a6 68 b8 f3 10 4a 1c b6 79 af d8 38 eb 4c a5 5a 28 48 7e 17 75 67 eb c4 b8 3a 1d 2a 9d 66 19 a6 6b 4a d7 47 2e 1e 8e 17 65 3a d5 f6 43 72 d2 e9 d0 b5 ce 8a c4 36 d6 d6 e4 9b 37 1e fb ea 02 ec 9f cc 05 70 b0 26 74 6d 7c 6d 42 d7 26 7e e1 ca e7 bc 03 54 22 43 25 b8 47 a4 87 a3 d0 57 76 38 a6 64 7e ef e7 f1 18 47 d2 88 be 03 1d 92 7f 5a 79 af 6d 77 02 37 8f 09 3f f9 6d 1b 73 67 8e 26 f8 f9 9c 25 dd e6 da 74 44 40 30 41 b5 e7 b5 36 47 81 8f 26 15 1a 46 53 f1 32 f4 ed ca 80 d7 8c a0 c5 fc 57 a7 5e f0 16 ca 8c c4 7e ba 27 0e 1f 33 a1 b4 66 02 08 67 af af 3c 32 36 a8 4e fd 0a 12 9d 55 68 56 d1 f2 08 3f 19 ee 03 fa e6 bd 2f 50 bd 7e 9f 09 9d b2 75 b2 45 14 35 21 58 5f a4 e9 c5 70 1f 3a 78 e0 10 67 e3 a4 75 e0 7d 0a 7e 24 9f 7a 30 29 a2 f4 c9 4d 02 b5 ad 2f 79 0d 48 9b 80 da 58 1b 41 d1 17 9e f4 b7 21 8a 3e 7c f5 9b ae 91 7f fd fb 6f 1a d9 e6 f5 ef 7f e9 50 50 af ff f8 93 46 af fe 21 1a 24 1a 83 8e af fe 82 2e af fe da 4f 2a d7 a3 a1 8a 8f e8 96 ad 11 bc 05 47 ca 3a a9 17 df 7f 1e d4 24 28 c0 1b 7b fb 07 b8 d4 67 a5 34 61 a8 35 5b 30 64 39 43 e1 62 a1 c4 a9 50 c9 56 be 75 ef 8d 4e 56 c0 ab aa 51 2f 1a e8 38 ad 87 21 03 3f b9 e2 67 a1 2f 7b 08 b8 c0 7e 8a 60 95 12 e3 6a 4c f0 33 e8 27 2a 6e af f8 59 b8 58 c0 05 4e de 2c 31 c1 cf 94 24 c0 c4 b9 56 a6 06 16 e4 f6 29 e4 dd 68 4c 70 ef 5a dc 33 61 82 3d ef e0 b9 c7 c5 ed 1d c1 95 38 98 0a 0e 9e e7 8f 3a 5e c3 17 c7 7b 10 e1 00 a8 c9 04 2b 9d 8c cf 17 17 f8 a4 ac 8e 3a 5b 1a 0c 2e 2b ed 6d 6b b8 f4 69 ce f2 2c cd f2 b4 35 75 52 52 e4 de d6 98 60 d8 26 fe 8e 1a 44 df e2 b8 d8 65 19 c1 f5 8a 1e 04 17 f9 72 4b b0 e0 d6 e9 14 37 cb 18 09 56 9d 28 0d b9 0a de 6d 1c 89 8b 6d ea 1f e0 f8 8d 0a e0 5a 74 7e 3b 1b 7c 85 f7 c0 8b 46 14 7d 78 e8 19 83 85 ae 91 3f f4 19 f0 85 46 b6 f9 6f e5 ae 43 41 25 88 8d 46 90 aa 8c c1 60 12 b1 43 97 bf 2b f1 7e 82 09 96 10 86 51 de 6e 98 e0 5c 5a f7 85 0f 5e 31 23 c1 99 71 e0 73 41 8e 0d b2 b4 26 54 32 70 3b 04 07 ee 6a 08 a1 ea 10 ef e9 e0 2e 5f 1a a5 83 3b ec f4 b7 d0 d9 96 07 b0 3e f9 a9 2f af 95 bb de e9 8b 00 ae 7b e1 83 Data Ascii: c09`(
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://omilux.vn/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Mon, 27 May 2024 10:29:37 GMTserver: LiteSpeedData Raw: 63 30 39 0d 0a 60 28 02 80 fc a9 99 7e 9d 6d 2a 08 9a 48 a4 03 90 20 75 53 a6 8f 1c c7 b5 da f1 40 c0 23 89 5d 12 40 00 50 a2 22 b3 fe d3 ff a2 4c f5 af a3 4a 4a 57 95 ff 6f ae 7c fe ea 2a 2b 5c 95 2a 5b f3 ff 4c 0e 93 23 84 81 6c 2e bb 07 4c d9 2d 11 58 36 02 80 5d 95 ac 93 7d 8c 59 37 e7 bf 01 82 93 ec 4a 53 8f 12 60 7a b2 ce f5 67 bf 55 15 fa e8 3d b4 43 77 4f d0 e3 26 74 6d 6b 56 53 4a 7c 52 54 be 1e 05 3b d4 1a 2e 95 ae a9 57 01 90 36 f4 de e3 27 68 66 33 8e e0 ba 6f 37 d4 36 21 aa 03 b0 f8 9e c4 2f 27 d1 47 ef c5 77 4f 1e 4f 28 7d c2 ac 1e da 02 e7 a2 f1 8b af 4b b2 a6 68 b8 f3 10 4a 1c b6 79 af d8 38 eb 4c a5 5a 28 48 7e 17 75 67 eb c4 b8 3a 1d 2a 9d 66 19 a6 6b 4a d7 47 2e 1e 8e 17 65 3a d5 f6 43 72 d2 e9 d0 b5 ce 8a c4 36 d6 d6 e4 9b 37 1e fb ea 02 ec 9f cc 05 70 b0 26 74 6d 7c 6d 42 d7 26 7e e1 ca e7 bc 03 54 22 43 25 b8 47 a4 87 a3 d0 57 76 38 a6 64 7e ef e7 f1 18 47 d2 88 be 03 1d 92 7f 5a 79 af 6d 77 02 37 8f 09 3f f9 6d 1b 73 67 8e 26 f8 f9 9c 25 dd e6 da 74 44 40 30 41 b5 e7 b5 36 47 81 8f 26 15 1a 46 53 f1 32 f4 ed ca 80 d7 8c a0 c5 fc 57 a7 5e f0 16 ca 8c c4 7e ba 27 0e 1f 33 a1 b4 66 02 08 67 af af 3c 32 36 a8 4e fd 0a 12 9d 55 68 56 d1 f2 08 3f 19 ee 03 fa e6 bd 2f 50 bd 7e 9f 09 9d b2 75 b2 45 14 35 21 58 5f a4 e9 c5 70 1f 3a 78 e0 10 67 e3 a4 75 e0 7d 0a 7e 24 9f 7a 30 29 a2 f4 c9 4d 02 b5 ad 2f 79 0d 48 9b 80 da 58 1b 41 d1 17 9e f4 b7 21 8a 3e 7c f5 9b ae 91 7f fd fb 6f 1a d9 e6 f5 ef 7f e9 50 50 af ff f8 93 46 af fe 21 1a 24 1a 83 8e af fe 82 2e af fe da 4f 2a d7 a3 a1 8a 8f e8 96 ad 11 bc 05 47 ca 3a a9 17 df 7f 1e d4 24 28 c0 1b 7b fb 07 b8 d4 67 a5 34 61 a8 35 5b 30 64 39 43 e1 62 a1 c4 a9 50 c9 56 be 75 ef 8d 4e 56 c0 ab aa 51 2f 1a e8 38 ad 87 21 03 3f b9 e2 67 a1 2f 7b 08 b8 c0 7e 8a 60 95 12 e3 6a 4c f0 33 e8 27 2a 6e af f8 59 b8 58 c0 05 4e de 2c 31 c1 cf 94 24 c0 c4 b9 56 a6 06 16 e4 f6 29 e4 dd 68 4c 70 ef 5a dc 33 61 82 3d ef e0 b9 c7 c5 ed 1d c1 95 38 98 0a 0e 9e e7 8f 3a 5e c3 17 c7 7b 10 e1 00 a8 c9 04 2b 9d 8c cf 17 17 f8 a4 ac 8e 3a 5b 1a 0c 2e 2b ed 6d 6b b8 f4 69 ce f2 2c cd f2 b4 35 75 52 52 e4 de d6 98 60 d8 26 fe 8e 1a 44 df e2 b8 d8 65 19 c1 f5 8a 1e 04 17 f9 72 4b b0 e0 d6 e9 14 37 cb 18 09 56 9d 28 0d b9 0a de 6d 1c 89 8b 6d ea 1f e0 f8 8d 0a e0 5a 74 7e 3b 1b 7c 85 f7 c0 8b 46 14 7d 78 e8 19 83 85 ae 91 3f f4 19 f0 85 46 b6 f9 6f e5 ae 43 41 25 88 8d 46 90 aa 8c c1 60 12 b1 43 97 bf 2b f1 7e 82 09 96 10 86 51 de 6e 98 e0 5c 5a f7 85 0f 5e 31 23 c1 99 71 e0 73 41 8e 0d b2 b4 26 54 32 70 3b 04 07 ee 6a 08 a1 ea 10 ef e9 e0 2e 5f 1a a5 83 3b ec f4 b7 d0 d9 96 07 b0 3e f9 a9 2f af 95 bb de e9 8b 00 ae 7b e1 83 Data Ascii: c09`(
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 548Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1716805801.268119757392731095X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Mon, 27 May 2024 10:30:01 GMTX-Served-By: cache-iad-kcgs7200072-IADX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,vmPhUNXuQemvc7fjBI8NWewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLsNSikLMYkJJqXV1PzQmZDtGkFvVdT2Nq6f3Hedj7ewBVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 548Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1716805803.84111874587839152X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Mon, 27 May 2024 10:30:03 GMTX-Served-By: cache-iad-kiad7000096-IADX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,pmHZlB45NPy7b1VBAukQrewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLqymrWSBpMfJbY0ZWU2hO35/HubKAh1QhTB6OuUXtTGVVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 548Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1716805806.363104087582218950X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Mon, 27 May 2024 10:30:06 GMTX-Served-By: cache-iad-kcgs7200055-IADX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLj7/C5aSAyG//vrZl1d/upnu/2EjeiyKjB/JVOb8T5VeVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8X-Wix-Request-Id: 1716805808.8951192553039151Age: 0Server: PepyakaX-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Mon, 27 May 2024 10:30:08 GMTX-Served-By: cache-iad-kiad7000130-IADX-Cache: MISSVary: Accept-EncodingServer-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_42_gX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k=,m0j2EEknGIVUW/liY8BLLqymrWSBpMfJbY0ZWU2hO35/HubKAh1QhTB6OuUXtTGV,2d58ifebGbosy5xc+FRalg55u4YsHu1Axf9AbCDiE0HR2rDcMk1/EfCdRb+nfaeumWhFMN/4tEKWXVII9cYPnA==,2UNV7KOq4oGjA5+PKsX47OQZwYgSPyDAITkAPokfnlQ=,5dtjbdes4FE7bHdX5YvIsEb0dNMLoLpjiFXc+uhJ+7U=,ayd+3ClbVmxEhcfWBRDlsdcDQNw3DVOhs5Iq99Tykaw=,8+sd0p/fB+2vxlJZapYbK3mRoZQxYXSs3LNVUHKP6uGXKROERf8jhXGXq7DZ5tVRCeecs6aOlI8qHz0Wy6F2Ow==Transfer-Encoding: chunkedVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 62 65 65 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d Data Ascii: bee <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=
Source: iexpress.exe, 00000010.00000002.3713620631.0000000006C1A000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.00000000045CA000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://browsehappy.com/
Source: inquiry EBS# 82785.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: inquiry EBS# 82785.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: inquiry EBS# 82785.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: iexpress.exe, 00000010.00000002.3713620631.00000000068F6000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.00000000042A6000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://omilux.vn/hrz3/?MNodJD8p=fkxp32a3AF5wBSwRh5VZfmiY3/puBKP3MVSkTpkPNWOuHUgNKCFzkVmprYkTYGjHw4na
Source: inquiry EBS# 82785.exe, 00000000.00000002.1279975333.000000000284A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: inquiry EBS# 82785.exe String found in binary or memory: http://tempuri.org/DataSet1.xsd#tableLayoutPanel1
Source: iexpress.exe, 00000010.00000002.3713620631.0000000005DF8000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.00000000037A8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.0bi8.fun/static/admin/css/bootstrap.min.css
Source: iexpress.exe, 00000010.00000002.3713620631.0000000005DF8000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.00000000037A8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.0bi8.fun/static/admin/css/materialdesignicons.min.css
Source: iexpress.exe, 00000010.00000002.3715766217.0000000008170000.00000004.00000800.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3713620631.0000000005DF8000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.00000000037A8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.0bi8.fun/static/admin/css/style.min.css
Source: iexpress.exe, 00000010.00000002.3715766217.0000000008170000.00000004.00000800.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3713620631.0000000005DF8000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.00000000037A8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.0bi8.fun/static/admin/js/bootstrap.min.js
Source: iexpress.exe, 00000010.00000002.3715766217.0000000008170000.00000004.00000800.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3713620631.0000000005DF8000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.00000000037A8000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.0bi8.fun/static/admin/js/jquery.min.js
Source: hbfEEdNoiUG.exe, 00000014.00000002.3714642969.0000000005521000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.geltipleasure.com
Source: hbfEEdNoiUG.exe, 00000014.00000002.3714642969.0000000005521000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.geltipleasure.com/8vpj/
Source: iexpress.exe, 00000010.00000002.3713620631.00000000065D2000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.0000000003F82000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://yamlex.ru/ji0p/?MNodJD8p=xXD9CQ3N7xKDLchfMZiKEzPna0191/2yPXYla/3jou9aJjDG40/AHObgd4ksmL/dNcSW
Source: iexpress.exe, 00000010.00000003.1618898139.0000000008418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: iexpress.exe, 00000010.00000003.1618898139.0000000008418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: iexpress.exe, 00000010.00000003.1618898139.0000000008418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: iexpress.exe, 00000010.00000003.1618898139.0000000008418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: iexpress.exe, 00000010.00000003.1618898139.0000000008418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: iexpress.exe, 00000010.00000003.1618898139.0000000008418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: iexpress.exe, 00000010.00000003.1618898139.0000000008418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: inquiry EBS# 82785.exe String found in binary or memory: https://github.com/romenrg/genetic-startups
Source: iexpress.exe, 00000010.00000002.3700825150.0000000003259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: iexpress.exe, 00000010.00000002.3700825150.0000000003259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: iexpress.exe, 00000010.00000002.3700825150.0000000003259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: iexpress.exe, 00000010.00000002.3700825150.0000000003259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: iexpress.exe, 00000010.00000002.3700825150.0000000003259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: iexpress.exe, 00000010.00000002.3700825150.0000000003259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: iexpress.exe, 00000010.00000003.1614916845.00000000083FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: iexpress.exe, 00000010.00000002.3713620631.0000000005C66000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.0000000003616000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.birthingwitht.com/v0eo?MNodJD8p=53hfMKMEN3GhcMKa3FD3GzP2
Source: inquiry EBS# 82785.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: iexpress.exe, 00000010.00000003.1618898139.0000000008418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: iexpress.exe, 00000010.00000003.1618898139.0000000008418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: iexpress.exe, 00000010.00000002.3713620631.0000000006440000.00000004.10000000.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3712726635.0000000003DF0000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.shopnaya.fr/7skl/?f4=xxLl5tHp-byppxH&MNodJD8p=dTL83zpU0xQ9edv6OGiX5dEIo4WZrMM8fLl2Krrsxa

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1435453576.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3695841773.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3714642969.00000000054D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3712098478.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1438597703.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3712203175.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1438447735.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3712340508.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1435453576.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.3695841773.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.3714642969.00000000054D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.3712098478.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1438597703.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.3712203175.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1438447735.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.3712340508.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large strings
Source: inquiry EBS# 82785.exe, MainForm.cs Long String: Length: 150953
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0042B0F3 NtClose, 4_2_0042B0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512B60 NtClose,LdrInitializeThunk, 4_2_01512B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_01512DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_01512C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015135C0 NtCreateMutant,LdrInitializeThunk, 4_2_015135C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01514340 NtSetContextThread, 4_2_01514340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01514650 NtSuspendThread, 4_2_01514650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512BF0 NtAllocateVirtualMemory, 4_2_01512BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512BE0 NtQueryValueKey, 4_2_01512BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512B80 NtQueryInformationFile, 4_2_01512B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512BA0 NtEnumerateValueKey, 4_2_01512BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512AD0 NtReadFile, 4_2_01512AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512AF0 NtWriteFile, 4_2_01512AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512AB0 NtWaitForSingleObject, 4_2_01512AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512D10 NtMapViewOfSection, 4_2_01512D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512D00 NtSetInformationFile, 4_2_01512D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512D30 NtUnmapViewOfSection, 4_2_01512D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512DD0 NtDelayExecution, 4_2_01512DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512DB0 NtEnumerateKey, 4_2_01512DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512C60 NtCreateKey, 4_2_01512C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512C00 NtQueryInformationProcess, 4_2_01512C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512CC0 NtQueryVirtualMemory, 4_2_01512CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512CF0 NtOpenProcess, 4_2_01512CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512CA0 NtQueryInformationToken, 4_2_01512CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512F60 NtCreateProcessEx, 4_2_01512F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512F30 NtCreateSection, 4_2_01512F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512FE0 NtCreateFile, 4_2_01512FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512F90 NtProtectVirtualMemory, 4_2_01512F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512FB0 NtResumeThread, 4_2_01512FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512FA0 NtQuerySection, 4_2_01512FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512E30 NtWriteVirtualMemory, 4_2_01512E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512EE0 NtQueueApcThread, 4_2_01512EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512E80 NtReadVirtualMemory, 4_2_01512E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512EA0 NtAdjustPrivilegesToken, 4_2_01512EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01513010 NtOpenDirectoryObject, 4_2_01513010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01513090 NtSetValueKey, 4_2_01513090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015139B0 NtGetContextThread, 4_2_015139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01513D70 NtOpenThread, 4_2_01513D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01513D10 NtOpenProcessToken, 4_2_01513D10
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05134650 NtSuspendThread,LdrInitializeThunk, 16_2_05134650
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05134340 NtSetContextThread,LdrInitializeThunk, 16_2_05134340
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132D10 NtMapViewOfSection,LdrInitializeThunk, 16_2_05132D10
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132D30 NtUnmapViewOfSection,LdrInitializeThunk, 16_2_05132D30
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132DD0 NtDelayExecution,LdrInitializeThunk, 16_2_05132DD0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132DF0 NtQuerySystemInformation,LdrInitializeThunk, 16_2_05132DF0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132C70 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_05132C70
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132C60 NtCreateKey,LdrInitializeThunk, 16_2_05132C60
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132CA0 NtQueryInformationToken,LdrInitializeThunk, 16_2_05132CA0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132F30 NtCreateSection,LdrInitializeThunk, 16_2_05132F30
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132FB0 NtResumeThread,LdrInitializeThunk, 16_2_05132FB0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132FE0 NtCreateFile,LdrInitializeThunk, 16_2_05132FE0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132E80 NtReadVirtualMemory,LdrInitializeThunk, 16_2_05132E80
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132EE0 NtQueueApcThread,LdrInitializeThunk, 16_2_05132EE0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132B60 NtClose,LdrInitializeThunk, 16_2_05132B60
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132BA0 NtEnumerateValueKey,LdrInitializeThunk, 16_2_05132BA0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_05132BF0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132BE0 NtQueryValueKey,LdrInitializeThunk, 16_2_05132BE0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132AD0 NtReadFile,LdrInitializeThunk, 16_2_05132AD0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132AF0 NtWriteFile,LdrInitializeThunk, 16_2_05132AF0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051335C0 NtCreateMutant,LdrInitializeThunk, 16_2_051335C0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051339B0 NtGetContextThread,LdrInitializeThunk, 16_2_051339B0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132D00 NtSetInformationFile, 16_2_05132D00
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132DB0 NtEnumerateKey, 16_2_05132DB0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132C00 NtQueryInformationProcess, 16_2_05132C00
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132CC0 NtQueryVirtualMemory, 16_2_05132CC0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132CF0 NtOpenProcess, 16_2_05132CF0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132F60 NtCreateProcessEx, 16_2_05132F60
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132F90 NtProtectVirtualMemory, 16_2_05132F90
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132FA0 NtQuerySection, 16_2_05132FA0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132E30 NtWriteVirtualMemory, 16_2_05132E30
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132EA0 NtAdjustPrivilegesToken, 16_2_05132EA0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132B80 NtQueryInformationFile, 16_2_05132B80
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05132AB0 NtWaitForSingleObject, 16_2_05132AB0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05133010 NtOpenDirectoryObject, 16_2_05133010
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05133090 NtSetValueKey, 16_2_05133090
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05133D10 NtOpenProcessToken, 16_2_05133D10
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05133D70 NtOpenThread, 16_2_05133D70
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_03047B20 NtReadFile, 16_2_03047B20
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_030479C0 NtCreateFile, 16_2_030479C0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_03047DE0 NtAllocateVirtualMemory, 16_2_03047DE0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_03047C00 NtDeleteFile, 16_2_03047C00
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_03047C90 NtClose, 16_2_03047C90
Detected potential crypto function
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Code function: 0_2_00E4DAEC 0_2_00E4DAEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004031C0 4_2_004031C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00401200 4_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004022D7 4_2_004022D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004022E0 4_2_004022E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040FBDA 4_2_0040FBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040FBE3 4_2_0040FBE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00402C20 4_2_00402C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004024C0 4_2_004024C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0042D543 4_2_0042D543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00416573 4_2_00416573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040FE03 4_2_0040FE03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040DE83 4_2_0040DE83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01568158 4_2_01568158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D0100 4_2_014D0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157A118 4_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015981CC 4_2_015981CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A01AA 4_2_015A01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015941A2 4_2_015941A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01572000 4_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159A352 4_2_0159A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A03E6 4_2_015A03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EE3F0 4_2_014EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015602C0 4_2_015602C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0535 4_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A0591 4_2_015A0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01592446 4_2_01592446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01584420 4_2_01584420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158E4F6 4_2_0158E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01504750 4_2_01504750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DC7C0 4_2_014DC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FC6E0 4_2_014FC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F6962 4_2_014F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015AA9A6 4_2_015AA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E2840 4_2_014E2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EA840 4_2_014EA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E8F0 4_2_0150E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C68B8 4_2_014C68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159AB40 4_2_0159AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01596BD7 4_2_01596BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DEA80 4_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157CD1F 4_2_0157CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EAD00 4_2_014EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DADE0 4_2_014DADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F8DBF 4_2_014F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0C00 4_2_014E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D0CF2 4_2_014D0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580CB5 4_2_01580CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01554F40 4_2_01554F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01500F30 4_2_01500F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01582F30 4_2_01582F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01522F28 4_2_01522F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D2FC8 4_2_014D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014ECFE0 4_2_014ECFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155EFA0 4_2_0155EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0E59 4_2_014E0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159EE26 4_2_0159EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159EEDB 4_2_0159EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159CE93 4_2_0159CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F2E90 4_2_014F2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015AB16B 4_2_015AB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0151516C 4_2_0151516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CF172 4_2_014CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EB1B0 4_2_014EB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E70C0 4_2_014E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158F0CC 4_2_0158F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015970E9 4_2_015970E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159F0E0 4_2_0159F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CD34C 4_2_014CD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159132D 4_2_0159132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0152739A 4_2_0152739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FB2C0 4_2_014FB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015812ED 4_2_015812ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E52A0 4_2_014E52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01597571 4_2_01597571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A95C3 4_2_015A95C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157D5B0 4_2_0157D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D1460 4_2_014D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159F43F 4_2_0159F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159F7B0 4_2_0159F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01525630 4_2_01525630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015916CC 4_2_015916CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E9950 4_2_014E9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FB950 4_2_014FB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01575910 4_2_01575910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154D800 4_2_0154D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E38E0 4_2_014E38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159FB76 4_2_0159FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01555BF0 4_2_01555BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0151DBF9 4_2_0151DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FFB80 4_2_014FFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159FA49 4_2_0159FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01597A46 4_2_01597A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01553A6C 4_2_01553A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158DAC6 4_2_0158DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01525AA0 4_2_01525AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157DAAC 4_2_0157DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01581AA3 4_2_01581AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01591D5A 4_2_01591D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E3D40 4_2_014E3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01597D73 4_2_01597D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FFDC0 4_2_014FFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01559C32 4_2_01559C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159FCF2 4_2_0159FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159FF09 4_2_0159FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014A3FD2 4_2_014A3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014A3FD5 4_2_014A3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E1F92 4_2_014E1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159FFB1 4_2_0159FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E9EB0 4_2_014E9EB0
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_033039A2 15_2_033039A2
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_03305974 15_2_03305974
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_033230B4 15_2_033230B4
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_0330C0E4 15_2_0330C0E4
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_03305754 15_2_03305754
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_0330574B 15_2_0330574B
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05100535 16_2_05100535
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051C0591 16_2_051C0591
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051A4420 16_2_051A4420
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B2446 16_2_051B2446
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051AE4F6 16_2_051AE4F6
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05124750 16_2_05124750
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05100770 16_2_05100770
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050FC7C0 16_2_050FC7C0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0511C6E0 16_2_0511C6E0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0519A118 16_2_0519A118
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050F0100 16_2_050F0100
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05188158 16_2_05188158
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051C01AA 16_2_051C01AA
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B41A2 16_2_051B41A2
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B81CC 16_2_051B81CC
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05192000 16_2_05192000
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BA352 16_2_051BA352
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0510E3F0 16_2_0510E3F0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051C03E6 16_2_051C03E6
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051A0274 16_2_051A0274
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051802C0 16_2_051802C0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0519CD1F 16_2_0519CD1F
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0510AD00 16_2_0510AD00
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05118DBF 16_2_05118DBF
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050FADE0 16_2_050FADE0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05100C00 16_2_05100C00
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051A0CB5 16_2_051A0CB5
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050F0CF2 16_2_050F0CF2
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05120F30 16_2_05120F30
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051A2F30 16_2_051A2F30
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05142F28 16_2_05142F28
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05174F40 16_2_05174F40
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0517EFA0 16_2_0517EFA0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050F2FC8 16_2_050F2FC8
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0510CFE0 16_2_0510CFE0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BEE26 16_2_051BEE26
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05100E59 16_2_05100E59
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05112E90 16_2_05112E90
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BCE93 16_2_051BCE93
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BEEDB 16_2_051BEEDB
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05116962 16_2_05116962
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051029A0 16_2_051029A0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051CA9A6 16_2_051CA9A6
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0510A840 16_2_0510A840
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05102840 16_2_05102840
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050E68B8 16_2_050E68B8
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0512E8F0 16_2_0512E8F0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BAB40 16_2_051BAB40
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B6BD7 16_2_051B6BD7
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050FEA80 16_2_050FEA80
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B7571 16_2_051B7571
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0519D5B0 16_2_0519D5B0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051C95C3 16_2_051C95C3
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BF43F 16_2_051BF43F
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050F1460 16_2_050F1460
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BF7B0 16_2_051BF7B0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05145630 16_2_05145630
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B16CC 16_2_051B16CC
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051CB16B 16_2_051CB16B
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050EF172 16_2_050EF172
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0513516C 16_2_0513516C
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0510B1B0 16_2_0510B1B0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051070C0 16_2_051070C0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051AF0CC 16_2_051AF0CC
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B70E9 16_2_051B70E9
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BF0E0 16_2_051BF0E0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B132D 16_2_051B132D
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_050ED34C 16_2_050ED34C
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0514739A 16_2_0514739A
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051052A0 16_2_051052A0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0511B2C0 16_2_0511B2C0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051A12ED 16_2_051A12ED
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B1D5A 16_2_051B1D5A
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05103D40 16_2_05103D40
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B7D73 16_2_051B7D73
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0511FDC0 16_2_0511FDC0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05179C32 16_2_05179C32
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BFCF2 16_2_051BFCF2
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BFF09 16_2_051BFF09
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05101F92 16_2_05101F92
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BFFB1 16_2_051BFFB1
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05109EB0 16_2_05109EB0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05195910 16_2_05195910
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05109950 16_2_05109950
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0511B950 16_2_0511B950
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0516D800 16_2_0516D800
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051038E0 16_2_051038E0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BFB76 16_2_051BFB76
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0511FB80 16_2_0511FB80
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05175BF0 16_2_05175BF0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0513DBF9 16_2_0513DBF9
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051BFA49 16_2_051BFA49
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051B7A46 16_2_051B7A46
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05173A6C 16_2_05173A6C
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_05145AA0 16_2_05145AA0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0519DAAC 16_2_0519DAAC
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051A1AA3 16_2_051A1AA3
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_051ADAC6 16_2_051ADAC6
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_030315D0 16_2_030315D0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0304A0E0 16_2_0304A0E0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0302C777 16_2_0302C777
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0302C780 16_2_0302C780
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0302AA20 16_2_0302AA20
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0302C9A0 16_2_0302C9A0
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_03033110 16_2_03033110
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0154EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01515130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0155F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 014CB970 appears 277 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01527E54 appears 111 times
Source: C:\Windows\SysWOW64\iexpress.exe Code function: String function: 05135130 appears 58 times
Source: C:\Windows\SysWOW64\iexpress.exe Code function: String function: 0516EA12 appears 86 times
Source: C:\Windows\SysWOW64\iexpress.exe Code function: String function: 05147E54 appears 111 times
Source: C:\Windows\SysWOW64\iexpress.exe Code function: String function: 0517F290 appears 105 times
Source: C:\Windows\SysWOW64\iexpress.exe Code function: String function: 050EB970 appears 277 times
PE / OLE file has an invalid certificate
Source: inquiry EBS# 82785.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: inquiry EBS# 82785.exe, 00000000.00000002.1290491442.00000000099AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs inquiry EBS# 82785.exe
Source: inquiry EBS# 82785.exe, 00000000.00000002.1282468867.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs inquiry EBS# 82785.exe
Source: inquiry EBS# 82785.exe, 00000000.00000002.1286900849.0000000005110000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs inquiry EBS# 82785.exe
Source: inquiry EBS# 82785.exe, 00000000.00000000.1231344660.00000000004D0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHSfy.exe( vs inquiry EBS# 82785.exe
Source: inquiry EBS# 82785.exe, 00000000.00000002.1289449353.0000000006E50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs inquiry EBS# 82785.exe
Source: inquiry EBS# 82785.exe, 00000000.00000002.1269901185.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs inquiry EBS# 82785.exe
Source: inquiry EBS# 82785.exe Binary or memory string: OriginalFilenameHSfy.exe( vs inquiry EBS# 82785.exe
Uses 32bit PE files
Source: inquiry EBS# 82785.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1435453576.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.3695841773.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.3714642969.00000000054D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.3712098478.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1438597703.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.3712203175.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1438447735.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.3712340508.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: inquiry EBS# 82785.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, N6DDnZAE4yvHR3hqWD.cs Security API names: _0020.SetAccessControl
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, N6DDnZAE4yvHR3hqWD.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, N6DDnZAE4yvHR3hqWD.cs Security API names: _0020.AddAccessRule
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, tnLdWEBm0adCBNA3Ol.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, tnLdWEBm0adCBNA3Ol.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, N6DDnZAE4yvHR3hqWD.cs Security API names: _0020.SetAccessControl
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, N6DDnZAE4yvHR3hqWD.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, N6DDnZAE4yvHR3hqWD.cs Security API names: _0020.AddAccessRule
Source: 0.2.inquiry EBS# 82785.exe.4fe0000.3.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.inquiry EBS# 82785.exe.28314bc.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.inquiry EBS# 82785.exe.28214b0.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/7@16/9
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inquiry EBS# 82785.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Mutant created: \Sessions\1\BaseNamedObjects\sRiNlhJhKYvesmCFruYR
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4656:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hrju2tjp.gy3.ps1 Jump to behavior
Source: inquiry EBS# 82785.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: inquiry EBS# 82785.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: iexpress.exe, 00000010.00000003.1615643890.0000000003296000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3700825150.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 00000010.00000003.1615951059.00000000032B6000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3700825150.00000000032E4000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3700825150.00000000032B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: inquiry EBS# 82785.exe ReversingLabs: Detection: 68%
Source: inquiry EBS# 82785.exe String found in binary or memory: Form3!Types of Squares-Startup life evolution%Genetic AlgorithmsyPopulation: chromosomes encoding starting cell and movementsYOperators: selection, crossover and mutation
Source: inquiry EBS# 82785.exe String found in binary or memory: Source code available on Github under MIT license: https://github.com/romenrg/genetic-startups
Source: unknown Process created: C:\Users\user\Desktop\inquiry EBS# 82785.exe "C:\Users\user\Desktop\inquiry EBS# 82785.exe"
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry EBS# 82785.exe"
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Process created: C:\Windows\SysWOW64\iexpress.exe "C:\Windows\SysWOW64\iexpress.exe"
Source: C:\Windows\SysWOW64\iexpress.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry EBS# 82785.exe" Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Process created: C:\Windows\SysWOW64\iexpress.exe "C:\Windows\SysWOW64\iexpress.exe" Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: inquiry EBS# 82785.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: inquiry EBS# 82785.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: inquiry EBS# 82785.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: iexpress.pdbGCTL source: RegSvcs.exe, 00000004.00000002.1435957062.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000002.3708916103.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000003.1360746245.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hbfEEdNoiUG.exe, 0000000F.00000000.1347277326.000000000052E000.00000002.00000001.01000000.0000000D.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3695839640.000000000052E000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.1436661246.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000003.1434430531.0000000004D6B000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3712669732.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3712669732.000000000525E000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000003.1438240479.0000000004F17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000004.00000002.1436661246.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, iexpress.exe, 00000010.00000003.1434430531.0000000004D6B000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3712669732.00000000050C0000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000002.3712669732.000000000525E000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 00000010.00000003.1438240479.0000000004F17000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HSfy.pdb source: inquiry EBS# 82785.exe
Source: Binary string: HSfy.pdbSHA256uT source: inquiry EBS# 82785.exe
Source: Binary string: iexpress.pdb source: RegSvcs.exe, 00000004.00000002.1435957062.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000002.3708916103.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000003.1360746245.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: inquiry EBS# 82785.exe, MainForm.cs .Net Code: createBasicLayout
Source: 0.2.inquiry EBS# 82785.exe.5110000.4.raw.unpack, LoginForm.cs .Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, N6DDnZAE4yvHR3hqWD.cs .Net Code: KobSdoegIX System.Reflection.Assembly.Load(byte[])
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, N6DDnZAE4yvHR3hqWD.cs .Net Code: KobSdoegIX System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Code function: 0_2_00E446BF push ebx; retf 0_2_00E446C2
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Code function: 0_2_00E446B9 push ebx; retf 0_2_00E446BA
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Code function: 0_2_00E446BB push edx; retf 0_2_00E446BE
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Code function: 0_2_00E44659 push edx; retf 0_2_00E4465A
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Code function: 0_2_00E447AF push esi; retf 0_2_00E447B2
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Code function: 0_2_04D88678 push eax; mov dword ptr [esp], ecx 0_2_04D8867C
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Code function: 0_2_04D88668 push eax; mov dword ptr [esp], ecx 0_2_04D8867C
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Code function: 0_2_04D8914F push eax; ret 0_2_04D89183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040203C pushad ; ret 4_2_00402042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040D154 push esi; ret 4_2_0040D155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041A1BE push edx; ret 4_2_0041A1D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041EAAE push ss; iretd 4_2_0041EAAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0041E3C8 push ecx; ret 4_2_0041E3C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_004113D3 push edi; retf 4_2_004113DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00423B93 push ebp; retf 4_2_00423CE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00403460 push eax; ret 4_2_00403462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0040B5DD push esi; iretd 4_2_0040B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00413E03 push ds; retn F391h 4_2_00413F8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00418602 push edx; retf 4_2_00418603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00401EF2 pushad ; ret 4_2_00402042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014A225F pushad ; ret 4_2_014A27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014A27FA pushad ; ret 4_2_014A27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D09AD push ecx; mov dword ptr [esp], ecx 4_2_014D09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014A283D push eax; iretd 4_2_014A2858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014A135E push eax; iretd 4_2_014A1369
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_0330E173 push edx; retf 15_2_0330E174
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_0330114E push esi; iretd 15_2_03301151
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_033191B4 pushad ; ret 15_2_03319203
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_0331918C pushad ; ret 15_2_03319203
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_0331909E push 847ADC32h; iretd 15_2_033190BE
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Code function: 15_2_03306F38 push edi; retf 15_2_03306F4B
Source: inquiry EBS# 82785.exe Static PE information: section name: .text entropy: 7.016429660921763
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, ETrjv8IYxg1HvPn0mi.cs High entropy of concatenated method names: 'Dispose', 'oJPLG0wCLh', 'PHc4hhDg6w', 'Yfh88KKC6O', 'ycMLywcvcM', 'U6cLzpIXXd', 'ProcessDialogKey', 'qwu4MAmFUE', 'uli4LfJmyt', 'z3P448YVei'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, weB2bgYHln34b4aHPv.cs High entropy of concatenated method names: 'QYFdkbUJW', 'uWhH5A9oq', 'GApWXWukE', 'Qf1v5URli', 'h8Sc1xZk9', 'tkuOoVKU3', 'f5DXDnGxOYXejxSTef', 'RlkgjMKkBSi4rOSlm7', 'f6rrTqrpp', 'MeLqsSADG'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, akkPSDMK8o6Wg6tbP2W.cs High entropy of concatenated method names: 'bmC9XW6Z6P', 'nWp9oxEG3Q', 'NFt9dqXkeG', 'xuD9HGhXu4', 'CZA9BE0453', 'gOr9WoBBIB', 'rxF9vUW4fd', 'Prr9YNI40N', 'dbd9c7qPLv', 'kgN9OoAJsx'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, DnGbZoaby7dWafu41v.cs High entropy of concatenated method names: 'e0ikXVP1RW', 'z2okoAW1H6', 'hkvkdRwFXg', 'D56kHDBA0P', 'QKtkBy8s6t', 'IkpkWFpb5G', 'jJ0kv7DjXi', 'bB2kYppMAX', 'miIkckCjGO', 'WQTkOutsXR'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, rjC4Ir4lvWsr8PLw9r.cs High entropy of concatenated method names: 'pJJ7DvLjKp', 'UnJ7yR6VEy', 'GC4rM0nyqk', 'ANqrL3E0YV', 'Q0h75Jhlp8', 'pFW7V27jov', 'zK37gKigH5', 'Or77eyYMLt', 'sYm7mpRBT1', 'QWy7EhNffE'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, bDuPk7MMytu11itw4iq.cs High entropy of concatenated method names: 'ToString', 'FyyqxuceCX', 'tUkqS41nd5', 'igZqaqTYlN', 'CPRqlf16K1', 'Y2HqNKDNJt', 'jQTqsJ7Y9T', 'RZdqiFqrNg', 'eBKVlmyCuMVDKR8IqPR', 'bTMS1GybavJWMsLayLV'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, FtMufWMYvQ2VjJiLG7M.cs High entropy of concatenated method names: 'B2hqXsFJyl', 'HGAqoxmgns', 'OW1qd9J9oM', 'YInRsjyLjYfT4Uypy5Y', 'wF1GkmyFaTDxLUBbBm8', 'wvl28UyzOolrKFVpn9J', 'abRAHCq2WxuNO2gyTU1', 'kXtAZ2qX5l4ihSRgVIU'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, TtXuHOVjoa3ddPEElw.cs High entropy of concatenated method names: 'zHFnaZ3TIb', 'EVTnNlZqxi', 'RRsniLRkBG', 'c0gnkJkwpB', 'UVnnpTMoKr', 'utwiK6aSwK', 'THHiAgKTiA', 'W62iZfeJHA', 'WEQiDDt04u', 'ELliG7S9au'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, xvhxQQx1VqoiIGOhgR.cs High entropy of concatenated method names: 'SpqsHq6NYp', 'fKdsWVvUff', 'VCNsY0pSjm', 'g82scOtOX3', 'jvist7YgR0', 'yIDs2da2ux', 'shBs7wZTPt', 'TO3srD3XxA', 'xZBs9pk7IK', 'OdDsqi5G3E'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, gM95yfGj9RTfd9Vjt2.cs High entropy of concatenated method names: 'gcJiBjtVHT', 'CbaivIiEaq', 'k83sufThmq', 'gEasPig56m', 'RwasIbsDJs', 'vbus0bgCEe', 'OSXsJmKoaM', 'iH3sb5iPwc', 'eWnswFgrIx', 'oeWsF13ZsU'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, kSceeLHm7i2YCV0APC.cs High entropy of concatenated method names: 'V4PtFH6uhv', 'JnWtVf4KLx', 'jw6teTRBNo', 'zAEtmUr6NE', 'ktPthWtPl3', 'zAmtu6trV2', 'ExWtPKyifk', 'M4CtIkjCy4', 'zDQt0lltRc', 'vRAtJT1m64'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, Nm3bAQz0G6h3W4ZbrO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bSW91FqrQ0', 'maC9t6k6QI', 'gJk92h7pdq', 'Fs797iAPLS', 'FEe9r2q0UX', 'iQW99Dpe9s', 'BZ29qZ5xmT'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, GAehUb0EjiQekj23xY.cs High entropy of concatenated method names: 'V4qLkkUDBH', 'YWtLpWXa78', 'ToxL3KWSqr', 'mgDL68SECO', 'GOyLtiJpC4', 'YtML2g75rA', 'wtFbRQehGipuvQtXgC', 'UlKT6Jpu8PCN81DRxx', 'xw4LLFMLZ6', 'BB2Lxppsd0'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, Mc1lp8us5WUHqZfxl6.cs High entropy of concatenated method names: 'B641YagALZ', 'wkX1cebAGp', 'fgi1CGJ2y6', 'jnd1hIQRDK', 'HGO1PaiX6P', 'a6T1ILGc80', 'a0R1JmB2l3', 'zKf1bcOrtV', 'c7x1F4PNrE', 'GZH15LlCql'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, TRb9De1bjl2tJfPoiq.cs High entropy of concatenated method names: 'BbR9LJ0BLE', 'NR29xJ26P2', 'PBS9SPlGD4', 'm5u9lrmbSA', 'kPP9NtP58U', 'RZi9iUarg5', 'FIs9nsHhbW', 'MearZlOpNB', 'EMErD2fKv7', 'FbQrGmcohx'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, N6DDnZAE4yvHR3hqWD.cs High entropy of concatenated method names: 'GhxxaYo8hu', 'JbQxlIMmL9', 'OtoxNNwYte', 'fCAxsvSEjB', 'BWExinO1RF', 'YU4xnBQ8Xw', 'xRCxkpH1I5', 'NotxputClH', 'tipxUKGfM0', 'e9ix3ZjU1S'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, s74S1sMt0Hdo61Oaqg7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JJnqe4YFPu', 'Q12qmybROB', 'AnhqE4gy3p', 'z6PqRe1pb4', 'WUUqKtHXy2', 't3vqAIm0eR', 'nBQqZ9L7Bc'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, eIno1KD6sJ7kVtvvWB.cs High entropy of concatenated method names: 'UUCrlBMXiq', 't6prNu1X92', 'mMUrsSuIWr', 'miAriauDlo', 'mUwrnOwAAu', 'Lr5rk3PZ6g', 'YGerpMQPsZ', 'cAlrUdPWHX', 'o7xr3fkTZX', 'tfYr6FeCRU'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, FBET1vmDCUg7UMq0hh.cs High entropy of concatenated method names: 'm4prCcYkTX', 'trCrh6QWn3', 'V09ruoMTL6', 'qFrrPFkUAe', 'OYMrewrTgI', 'ag8rI60OuQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, t6MYaWPf12VeY5M6RH.cs High entropy of concatenated method names: 'l0tklhFliD', 'D4PksRkKsG', 'KZKknxvplZ', 'Xbyny3pTDW', 'rO2nzEqw0J', 'iy9kMGEN6f', 'xlBkLP2BGf', 'Bcjk4uZo9D', 's0TkxXnDTh', 'rLKkSSpOGR'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, YHcuOs9rNyXQII3LoF.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Q2g4Guat6o', 'kXo4ya3bHr', 'lJk4zCXlAf', 'vqlxMJV4ph', 'sCfxLKVUXM', 'Qw6x4U46ch', 'XYwxxQhBfM', 'XN5cISXj313JZ1FcP2e'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, tnLdWEBm0adCBNA3Ol.cs High entropy of concatenated method names: 'AZhNeqFcR3', 'Ms3NmbNI0D', 'i5wNEBUmuB', 'ocfNRuLoBs', 'AolNKIKTye', 'Kh5NAJ1DXP', 'yPBNZ8okvZ', 'FRHNDKTh5l', 'dbcNGUua1y', 'gj3NyiMQOr'
Source: 0.2.inquiry EBS# 82785.exe.6e50000.5.raw.unpack, oIG6EsvLmXMmxJDAf6.cs High entropy of concatenated method names: 'ToString', 'aJI25ZTGgH', 'Cy92hdGFRJ', 'D8a2ucWLpP', 'L1f2PcliJi', 'iFC2ILYAXV', 'P0Q20Y8jSy', 'p6m2JDHEHd', 'nYH2b2wSX7', 'F1B2wrU526'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, ETrjv8IYxg1HvPn0mi.cs High entropy of concatenated method names: 'Dispose', 'oJPLG0wCLh', 'PHc4hhDg6w', 'Yfh88KKC6O', 'ycMLywcvcM', 'U6cLzpIXXd', 'ProcessDialogKey', 'qwu4MAmFUE', 'uli4LfJmyt', 'z3P448YVei'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, weB2bgYHln34b4aHPv.cs High entropy of concatenated method names: 'QYFdkbUJW', 'uWhH5A9oq', 'GApWXWukE', 'Qf1v5URli', 'h8Sc1xZk9', 'tkuOoVKU3', 'f5DXDnGxOYXejxSTef', 'RlkgjMKkBSi4rOSlm7', 'f6rrTqrpp', 'MeLqsSADG'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, akkPSDMK8o6Wg6tbP2W.cs High entropy of concatenated method names: 'bmC9XW6Z6P', 'nWp9oxEG3Q', 'NFt9dqXkeG', 'xuD9HGhXu4', 'CZA9BE0453', 'gOr9WoBBIB', 'rxF9vUW4fd', 'Prr9YNI40N', 'dbd9c7qPLv', 'kgN9OoAJsx'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, DnGbZoaby7dWafu41v.cs High entropy of concatenated method names: 'e0ikXVP1RW', 'z2okoAW1H6', 'hkvkdRwFXg', 'D56kHDBA0P', 'QKtkBy8s6t', 'IkpkWFpb5G', 'jJ0kv7DjXi', 'bB2kYppMAX', 'miIkckCjGO', 'WQTkOutsXR'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, rjC4Ir4lvWsr8PLw9r.cs High entropy of concatenated method names: 'pJJ7DvLjKp', 'UnJ7yR6VEy', 'GC4rM0nyqk', 'ANqrL3E0YV', 'Q0h75Jhlp8', 'pFW7V27jov', 'zK37gKigH5', 'Or77eyYMLt', 'sYm7mpRBT1', 'QWy7EhNffE'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, bDuPk7MMytu11itw4iq.cs High entropy of concatenated method names: 'ToString', 'FyyqxuceCX', 'tUkqS41nd5', 'igZqaqTYlN', 'CPRqlf16K1', 'Y2HqNKDNJt', 'jQTqsJ7Y9T', 'RZdqiFqrNg', 'eBKVlmyCuMVDKR8IqPR', 'bTMS1GybavJWMsLayLV'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, FtMufWMYvQ2VjJiLG7M.cs High entropy of concatenated method names: 'B2hqXsFJyl', 'HGAqoxmgns', 'OW1qd9J9oM', 'YInRsjyLjYfT4Uypy5Y', 'wF1GkmyFaTDxLUBbBm8', 'wvl28UyzOolrKFVpn9J', 'abRAHCq2WxuNO2gyTU1', 'kXtAZ2qX5l4ihSRgVIU'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, TtXuHOVjoa3ddPEElw.cs High entropy of concatenated method names: 'zHFnaZ3TIb', 'EVTnNlZqxi', 'RRsniLRkBG', 'c0gnkJkwpB', 'UVnnpTMoKr', 'utwiK6aSwK', 'THHiAgKTiA', 'W62iZfeJHA', 'WEQiDDt04u', 'ELliG7S9au'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, xvhxQQx1VqoiIGOhgR.cs High entropy of concatenated method names: 'SpqsHq6NYp', 'fKdsWVvUff', 'VCNsY0pSjm', 'g82scOtOX3', 'jvist7YgR0', 'yIDs2da2ux', 'shBs7wZTPt', 'TO3srD3XxA', 'xZBs9pk7IK', 'OdDsqi5G3E'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, gM95yfGj9RTfd9Vjt2.cs High entropy of concatenated method names: 'gcJiBjtVHT', 'CbaivIiEaq', 'k83sufThmq', 'gEasPig56m', 'RwasIbsDJs', 'vbus0bgCEe', 'OSXsJmKoaM', 'iH3sb5iPwc', 'eWnswFgrIx', 'oeWsF13ZsU'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, kSceeLHm7i2YCV0APC.cs High entropy of concatenated method names: 'V4PtFH6uhv', 'JnWtVf4KLx', 'jw6teTRBNo', 'zAEtmUr6NE', 'ktPthWtPl3', 'zAmtu6trV2', 'ExWtPKyifk', 'M4CtIkjCy4', 'zDQt0lltRc', 'vRAtJT1m64'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, Nm3bAQz0G6h3W4ZbrO.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bSW91FqrQ0', 'maC9t6k6QI', 'gJk92h7pdq', 'Fs797iAPLS', 'FEe9r2q0UX', 'iQW99Dpe9s', 'BZ29qZ5xmT'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, GAehUb0EjiQekj23xY.cs High entropy of concatenated method names: 'V4qLkkUDBH', 'YWtLpWXa78', 'ToxL3KWSqr', 'mgDL68SECO', 'GOyLtiJpC4', 'YtML2g75rA', 'wtFbRQehGipuvQtXgC', 'UlKT6Jpu8PCN81DRxx', 'xw4LLFMLZ6', 'BB2Lxppsd0'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, Mc1lp8us5WUHqZfxl6.cs High entropy of concatenated method names: 'B641YagALZ', 'wkX1cebAGp', 'fgi1CGJ2y6', 'jnd1hIQRDK', 'HGO1PaiX6P', 'a6T1ILGc80', 'a0R1JmB2l3', 'zKf1bcOrtV', 'c7x1F4PNrE', 'GZH15LlCql'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, TRb9De1bjl2tJfPoiq.cs High entropy of concatenated method names: 'BbR9LJ0BLE', 'NR29xJ26P2', 'PBS9SPlGD4', 'm5u9lrmbSA', 'kPP9NtP58U', 'RZi9iUarg5', 'FIs9nsHhbW', 'MearZlOpNB', 'EMErD2fKv7', 'FbQrGmcohx'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, N6DDnZAE4yvHR3hqWD.cs High entropy of concatenated method names: 'GhxxaYo8hu', 'JbQxlIMmL9', 'OtoxNNwYte', 'fCAxsvSEjB', 'BWExinO1RF', 'YU4xnBQ8Xw', 'xRCxkpH1I5', 'NotxputClH', 'tipxUKGfM0', 'e9ix3ZjU1S'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, s74S1sMt0Hdo61Oaqg7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JJnqe4YFPu', 'Q12qmybROB', 'AnhqE4gy3p', 'z6PqRe1pb4', 'WUUqKtHXy2', 't3vqAIm0eR', 'nBQqZ9L7Bc'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, eIno1KD6sJ7kVtvvWB.cs High entropy of concatenated method names: 'UUCrlBMXiq', 't6prNu1X92', 'mMUrsSuIWr', 'miAriauDlo', 'mUwrnOwAAu', 'Lr5rk3PZ6g', 'YGerpMQPsZ', 'cAlrUdPWHX', 'o7xr3fkTZX', 'tfYr6FeCRU'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, FBET1vmDCUg7UMq0hh.cs High entropy of concatenated method names: 'm4prCcYkTX', 'trCrh6QWn3', 'V09ruoMTL6', 'qFrrPFkUAe', 'OYMrewrTgI', 'ag8rI60OuQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, t6MYaWPf12VeY5M6RH.cs High entropy of concatenated method names: 'l0tklhFliD', 'D4PksRkKsG', 'KZKknxvplZ', 'Xbyny3pTDW', 'rO2nzEqw0J', 'iy9kMGEN6f', 'xlBkLP2BGf', 'Bcjk4uZo9D', 's0TkxXnDTh', 'rLKkSSpOGR'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, YHcuOs9rNyXQII3LoF.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Q2g4Guat6o', 'kXo4ya3bHr', 'lJk4zCXlAf', 'vqlxMJV4ph', 'sCfxLKVUXM', 'Qw6x4U46ch', 'XYwxxQhBfM', 'XN5cISXj313JZ1FcP2e'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, tnLdWEBm0adCBNA3Ol.cs High entropy of concatenated method names: 'AZhNeqFcR3', 'Ms3NmbNI0D', 'i5wNEBUmuB', 'ocfNRuLoBs', 'AolNKIKTye', 'Kh5NAJ1DXP', 'yPBNZ8okvZ', 'FRHNDKTh5l', 'dbcNGUua1y', 'gj3NyiMQOr'
Source: 0.2.inquiry EBS# 82785.exe.3d109a8.2.raw.unpack, oIG6EsvLmXMmxJDAf6.cs High entropy of concatenated method names: 'ToString', 'aJI25ZTGgH', 'Cy92hdGFRJ', 'D8a2ucWLpP', 'L1f2PcliJi', 'iFC2ILYAXV', 'P0Q20Y8jSy', 'p6m2JDHEHd', 'nYH2b2wSX7', 'F1B2wrU526'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: inquiry EBS# 82785.exe PID: 4816, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Memory allocated: E40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Memory allocated: 27F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Memory allocated: E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Memory allocated: 7020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Memory allocated: 8020000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Memory allocated: 81B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Memory allocated: 91B0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0151096E rdtsc 4_2_0151096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6205 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1933 Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Window / User API: threadDelayed 9751 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\iexpress.exe API coverage: 2.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe TID: 6824 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4072 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4516 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe TID: 7496 Thread sleep count: 220 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe TID: 7496 Thread sleep time: -440000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe TID: 7496 Thread sleep count: 9751 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe TID: 7496 Thread sleep time: -19502000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe TID: 7540 Thread sleep time: -65000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe TID: 7540 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe TID: 7540 Thread sleep time: -52500s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe TID: 7540 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe TID: 7540 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\iexpress.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\iexpress.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\iexpress.exe Code function: 16_2_0303BAF0 FindFirstFileW,FindNextFileW,FindClose, 16_2_0303BAF0
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: n200C853.16.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: n200C853.16.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: n200C853.16.dr Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: n200C853.16.dr Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: n200C853.16.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: hbfEEdNoiUG.exe, 00000014.00000002.3711029836.000000000123F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: iexpress.exe, 00000010.00000002.3715938597.0000000008482000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware2
Source: n200C853.16.dr Binary or memory string: outlook.office.comVMware20,11696492231s
Source: n200C853.16.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: iexpress.exe, 00000010.00000002.3715938597.0000000008482000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,I
Source: n200C853.16.dr Binary or memory string: AMC password management pageVMware20,11696492231
Source: n200C853.16.dr Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: n200C853.16.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: iexpress.exe, 00000010.00000002.3715938597.0000000008482000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,116
Source: n200C853.16.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: n200C853.16.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: n200C853.16.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: n200C853.16.dr Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: iexpress.exe, 00000010.00000002.3715938597.0000000008482000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n PasswordVMware20,11696492231x
Source: n200C853.16.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: inquiry EBS# 82785.exe, 00000000.00000002.1269901185.0000000000A96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: n200C853.16.dr Binary or memory string: discord.comVMware20,11696492231f
Source: iexpress.exe, 00000010.00000002.3700825150.000000000324B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.1723837760.000002AF2BA1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: n200C853.16.dr Binary or memory string: global block list test formVMware20,11696492231
Source: n200C853.16.dr Binary or memory string: dev.azure.comVMware20,11696492231j
Source: n200C853.16.dr Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: n200C853.16.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: n200C853.16.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: n200C853.16.dr Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: n200C853.16.dr Binary or memory string: tasks.office.comVMware20,11696492231o
Source: n200C853.16.dr Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: n200C853.16.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: n200C853.16.dr Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: n200C853.16.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: iexpress.exe, 00000010.00000002.3715938597.0000000008482000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,1S
Source: n200C853.16.dr Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: n200C853.16.dr Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: n200C853.16.dr Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: n200C853.16.dr Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0151096E rdtsc 4_2_0151096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_00417523 LdrLoadDll, 4_2_00417523
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01568158 mov eax, dword ptr fs:[00000030h] 4_2_01568158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01564144 mov eax, dword ptr fs:[00000030h] 4_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01564144 mov eax, dword ptr fs:[00000030h] 4_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01564144 mov ecx, dword ptr fs:[00000030h] 4_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01564144 mov eax, dword ptr fs:[00000030h] 4_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01564144 mov eax, dword ptr fs:[00000030h] 4_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6154 mov eax, dword ptr fs:[00000030h] 4_2_014D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6154 mov eax, dword ptr fs:[00000030h] 4_2_014D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CC156 mov eax, dword ptr fs:[00000030h] 4_2_014CC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4164 mov eax, dword ptr fs:[00000030h] 4_2_015A4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4164 mov eax, dword ptr fs:[00000030h] 4_2_015A4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01590115 mov eax, dword ptr fs:[00000030h] 4_2_01590115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157A118 mov ecx, dword ptr fs:[00000030h] 4_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157A118 mov eax, dword ptr fs:[00000030h] 4_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157A118 mov eax, dword ptr fs:[00000030h] 4_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157A118 mov eax, dword ptr fs:[00000030h] 4_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov eax, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov ecx, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov eax, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov eax, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov ecx, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov eax, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov eax, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov ecx, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov eax, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E10E mov ecx, dword ptr fs:[00000030h] 4_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01500124 mov eax, dword ptr fs:[00000030h] 4_2_01500124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E1D0 mov ecx, dword ptr fs:[00000030h] 4_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015961C3 mov eax, dword ptr fs:[00000030h] 4_2_015961C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015961C3 mov eax, dword ptr fs:[00000030h] 4_2_015961C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015001F8 mov eax, dword ptr fs:[00000030h] 4_2_015001F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A61E5 mov eax, dword ptr fs:[00000030h] 4_2_015A61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155019F mov eax, dword ptr fs:[00000030h] 4_2_0155019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155019F mov eax, dword ptr fs:[00000030h] 4_2_0155019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155019F mov eax, dword ptr fs:[00000030h] 4_2_0155019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155019F mov eax, dword ptr fs:[00000030h] 4_2_0155019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158C188 mov eax, dword ptr fs:[00000030h] 4_2_0158C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158C188 mov eax, dword ptr fs:[00000030h] 4_2_0158C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01510185 mov eax, dword ptr fs:[00000030h] 4_2_01510185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01574180 mov eax, dword ptr fs:[00000030h] 4_2_01574180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01574180 mov eax, dword ptr fs:[00000030h] 4_2_01574180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CA197 mov eax, dword ptr fs:[00000030h] 4_2_014CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CA197 mov eax, dword ptr fs:[00000030h] 4_2_014CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CA197 mov eax, dword ptr fs:[00000030h] 4_2_014CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01556050 mov eax, dword ptr fs:[00000030h] 4_2_01556050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D2050 mov eax, dword ptr fs:[00000030h] 4_2_014D2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FC073 mov eax, dword ptr fs:[00000030h] 4_2_014FC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01554000 mov ecx, dword ptr fs:[00000030h] 4_2_01554000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01572000 mov eax, dword ptr fs:[00000030h] 4_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01572000 mov eax, dword ptr fs:[00000030h] 4_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01572000 mov eax, dword ptr fs:[00000030h] 4_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01572000 mov eax, dword ptr fs:[00000030h] 4_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01572000 mov eax, dword ptr fs:[00000030h] 4_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01572000 mov eax, dword ptr fs:[00000030h] 4_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01572000 mov eax, dword ptr fs:[00000030h] 4_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01572000 mov eax, dword ptr fs:[00000030h] 4_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EE016 mov eax, dword ptr fs:[00000030h] 4_2_014EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EE016 mov eax, dword ptr fs:[00000030h] 4_2_014EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EE016 mov eax, dword ptr fs:[00000030h] 4_2_014EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EE016 mov eax, dword ptr fs:[00000030h] 4_2_014EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01566030 mov eax, dword ptr fs:[00000030h] 4_2_01566030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CA020 mov eax, dword ptr fs:[00000030h] 4_2_014CA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CC020 mov eax, dword ptr fs:[00000030h] 4_2_014CC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015520DE mov eax, dword ptr fs:[00000030h] 4_2_015520DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015120F0 mov ecx, dword ptr fs:[00000030h] 4_2_015120F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D80E9 mov eax, dword ptr fs:[00000030h] 4_2_014D80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CA0E3 mov ecx, dword ptr fs:[00000030h] 4_2_014CA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015560E0 mov eax, dword ptr fs:[00000030h] 4_2_015560E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CC0F0 mov eax, dword ptr fs:[00000030h] 4_2_014CC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D208A mov eax, dword ptr fs:[00000030h] 4_2_014D208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015960B8 mov eax, dword ptr fs:[00000030h] 4_2_015960B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015960B8 mov ecx, dword ptr fs:[00000030h] 4_2_015960B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C80A0 mov eax, dword ptr fs:[00000030h] 4_2_014C80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015680A8 mov eax, dword ptr fs:[00000030h] 4_2_015680A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01578350 mov ecx, dword ptr fs:[00000030h] 4_2_01578350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155035C mov eax, dword ptr fs:[00000030h] 4_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155035C mov eax, dword ptr fs:[00000030h] 4_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155035C mov eax, dword ptr fs:[00000030h] 4_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155035C mov ecx, dword ptr fs:[00000030h] 4_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155035C mov eax, dword ptr fs:[00000030h] 4_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155035C mov eax, dword ptr fs:[00000030h] 4_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159A352 mov eax, dword ptr fs:[00000030h] 4_2_0159A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A634F mov eax, dword ptr fs:[00000030h] 4_2_015A634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01552349 mov eax, dword ptr fs:[00000030h] 4_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157437C mov eax, dword ptr fs:[00000030h] 4_2_0157437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A30B mov eax, dword ptr fs:[00000030h] 4_2_0150A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A30B mov eax, dword ptr fs:[00000030h] 4_2_0150A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A30B mov eax, dword ptr fs:[00000030h] 4_2_0150A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CC310 mov ecx, dword ptr fs:[00000030h] 4_2_014CC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F0310 mov ecx, dword ptr fs:[00000030h] 4_2_014F0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A8324 mov eax, dword ptr fs:[00000030h] 4_2_015A8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A8324 mov ecx, dword ptr fs:[00000030h] 4_2_015A8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A8324 mov eax, dword ptr fs:[00000030h] 4_2_015A8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A8324 mov eax, dword ptr fs:[00000030h] 4_2_015A8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015743D4 mov eax, dword ptr fs:[00000030h] 4_2_015743D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015743D4 mov eax, dword ptr fs:[00000030h] 4_2_015743D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E3DB mov eax, dword ptr fs:[00000030h] 4_2_0157E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E3DB mov eax, dword ptr fs:[00000030h] 4_2_0157E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E3DB mov ecx, dword ptr fs:[00000030h] 4_2_0157E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157E3DB mov eax, dword ptr fs:[00000030h] 4_2_0157E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA3C0 mov eax, dword ptr fs:[00000030h] 4_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D83C0 mov eax, dword ptr fs:[00000030h] 4_2_014D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D83C0 mov eax, dword ptr fs:[00000030h] 4_2_014D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D83C0 mov eax, dword ptr fs:[00000030h] 4_2_014D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D83C0 mov eax, dword ptr fs:[00000030h] 4_2_014D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158C3CD mov eax, dword ptr fs:[00000030h] 4_2_0158C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015563C0 mov eax, dword ptr fs:[00000030h] 4_2_015563C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E03E9 mov eax, dword ptr fs:[00000030h] 4_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E03E9 mov eax, dword ptr fs:[00000030h] 4_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E03E9 mov eax, dword ptr fs:[00000030h] 4_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E03E9 mov eax, dword ptr fs:[00000030h] 4_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E03E9 mov eax, dword ptr fs:[00000030h] 4_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E03E9 mov eax, dword ptr fs:[00000030h] 4_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E03E9 mov eax, dword ptr fs:[00000030h] 4_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E03E9 mov eax, dword ptr fs:[00000030h] 4_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015063FF mov eax, dword ptr fs:[00000030h] 4_2_015063FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EE3F0 mov eax, dword ptr fs:[00000030h] 4_2_014EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EE3F0 mov eax, dword ptr fs:[00000030h] 4_2_014EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EE3F0 mov eax, dword ptr fs:[00000030h] 4_2_014EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F438F mov eax, dword ptr fs:[00000030h] 4_2_014F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F438F mov eax, dword ptr fs:[00000030h] 4_2_014F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CE388 mov eax, dword ptr fs:[00000030h] 4_2_014CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CE388 mov eax, dword ptr fs:[00000030h] 4_2_014CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CE388 mov eax, dword ptr fs:[00000030h] 4_2_014CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C8397 mov eax, dword ptr fs:[00000030h] 4_2_014C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C8397 mov eax, dword ptr fs:[00000030h] 4_2_014C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C8397 mov eax, dword ptr fs:[00000030h] 4_2_014C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A625D mov eax, dword ptr fs:[00000030h] 4_2_015A625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158A250 mov eax, dword ptr fs:[00000030h] 4_2_0158A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158A250 mov eax, dword ptr fs:[00000030h] 4_2_0158A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6259 mov eax, dword ptr fs:[00000030h] 4_2_014D6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01558243 mov eax, dword ptr fs:[00000030h] 4_2_01558243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01558243 mov ecx, dword ptr fs:[00000030h] 4_2_01558243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CA250 mov eax, dword ptr fs:[00000030h] 4_2_014CA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C826B mov eax, dword ptr fs:[00000030h] 4_2_014C826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01580274 mov eax, dword ptr fs:[00000030h] 4_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D4260 mov eax, dword ptr fs:[00000030h] 4_2_014D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D4260 mov eax, dword ptr fs:[00000030h] 4_2_014D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D4260 mov eax, dword ptr fs:[00000030h] 4_2_014D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C823B mov eax, dword ptr fs:[00000030h] 4_2_014C823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A62D6 mov eax, dword ptr fs:[00000030h] 4_2_015A62D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA2C3 mov eax, dword ptr fs:[00000030h] 4_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E02E1 mov eax, dword ptr fs:[00000030h] 4_2_014E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E02E1 mov eax, dword ptr fs:[00000030h] 4_2_014E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E02E1 mov eax, dword ptr fs:[00000030h] 4_2_014E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E284 mov eax, dword ptr fs:[00000030h] 4_2_0150E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E284 mov eax, dword ptr fs:[00000030h] 4_2_0150E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01550283 mov eax, dword ptr fs:[00000030h] 4_2_01550283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01550283 mov eax, dword ptr fs:[00000030h] 4_2_01550283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01550283 mov eax, dword ptr fs:[00000030h] 4_2_01550283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E02A0 mov eax, dword ptr fs:[00000030h] 4_2_014E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E02A0 mov eax, dword ptr fs:[00000030h] 4_2_014E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015662A0 mov eax, dword ptr fs:[00000030h] 4_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015662A0 mov ecx, dword ptr fs:[00000030h] 4_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015662A0 mov eax, dword ptr fs:[00000030h] 4_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015662A0 mov eax, dword ptr fs:[00000030h] 4_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015662A0 mov eax, dword ptr fs:[00000030h] 4_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015662A0 mov eax, dword ptr fs:[00000030h] 4_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D8550 mov eax, dword ptr fs:[00000030h] 4_2_014D8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D8550 mov eax, dword ptr fs:[00000030h] 4_2_014D8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150656A mov eax, dword ptr fs:[00000030h] 4_2_0150656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150656A mov eax, dword ptr fs:[00000030h] 4_2_0150656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150656A mov eax, dword ptr fs:[00000030h] 4_2_0150656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01566500 mov eax, dword ptr fs:[00000030h] 4_2_01566500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4500 mov eax, dword ptr fs:[00000030h] 4_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4500 mov eax, dword ptr fs:[00000030h] 4_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4500 mov eax, dword ptr fs:[00000030h] 4_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4500 mov eax, dword ptr fs:[00000030h] 4_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4500 mov eax, dword ptr fs:[00000030h] 4_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4500 mov eax, dword ptr fs:[00000030h] 4_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4500 mov eax, dword ptr fs:[00000030h] 4_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE53E mov eax, dword ptr fs:[00000030h] 4_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE53E mov eax, dword ptr fs:[00000030h] 4_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE53E mov eax, dword ptr fs:[00000030h] 4_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE53E mov eax, dword ptr fs:[00000030h] 4_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE53E mov eax, dword ptr fs:[00000030h] 4_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0535 mov eax, dword ptr fs:[00000030h] 4_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0535 mov eax, dword ptr fs:[00000030h] 4_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0535 mov eax, dword ptr fs:[00000030h] 4_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0535 mov eax, dword ptr fs:[00000030h] 4_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0535 mov eax, dword ptr fs:[00000030h] 4_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0535 mov eax, dword ptr fs:[00000030h] 4_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A5D0 mov eax, dword ptr fs:[00000030h] 4_2_0150A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A5D0 mov eax, dword ptr fs:[00000030h] 4_2_0150A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D65D0 mov eax, dword ptr fs:[00000030h] 4_2_014D65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E5CF mov eax, dword ptr fs:[00000030h] 4_2_0150E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E5CF mov eax, dword ptr fs:[00000030h] 4_2_0150E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE5E7 mov eax, dword ptr fs:[00000030h] 4_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D25E0 mov eax, dword ptr fs:[00000030h] 4_2_014D25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150C5ED mov eax, dword ptr fs:[00000030h] 4_2_0150C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150C5ED mov eax, dword ptr fs:[00000030h] 4_2_0150C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E59C mov eax, dword ptr fs:[00000030h] 4_2_0150E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D2582 mov eax, dword ptr fs:[00000030h] 4_2_014D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D2582 mov ecx, dword ptr fs:[00000030h] 4_2_014D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01504588 mov eax, dword ptr fs:[00000030h] 4_2_01504588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015505A7 mov eax, dword ptr fs:[00000030h] 4_2_015505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015505A7 mov eax, dword ptr fs:[00000030h] 4_2_015505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015505A7 mov eax, dword ptr fs:[00000030h] 4_2_015505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F45B1 mov eax, dword ptr fs:[00000030h] 4_2_014F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F45B1 mov eax, dword ptr fs:[00000030h] 4_2_014F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158A456 mov eax, dword ptr fs:[00000030h] 4_2_0158A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C645D mov eax, dword ptr fs:[00000030h] 4_2_014C645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E443 mov eax, dword ptr fs:[00000030h] 4_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E443 mov eax, dword ptr fs:[00000030h] 4_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E443 mov eax, dword ptr fs:[00000030h] 4_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E443 mov eax, dword ptr fs:[00000030h] 4_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E443 mov eax, dword ptr fs:[00000030h] 4_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E443 mov eax, dword ptr fs:[00000030h] 4_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E443 mov eax, dword ptr fs:[00000030h] 4_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150E443 mov eax, dword ptr fs:[00000030h] 4_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F245A mov eax, dword ptr fs:[00000030h] 4_2_014F245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155C460 mov ecx, dword ptr fs:[00000030h] 4_2_0155C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FA470 mov eax, dword ptr fs:[00000030h] 4_2_014FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FA470 mov eax, dword ptr fs:[00000030h] 4_2_014FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FA470 mov eax, dword ptr fs:[00000030h] 4_2_014FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01508402 mov eax, dword ptr fs:[00000030h] 4_2_01508402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01508402 mov eax, dword ptr fs:[00000030h] 4_2_01508402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01508402 mov eax, dword ptr fs:[00000030h] 4_2_01508402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A430 mov eax, dword ptr fs:[00000030h] 4_2_0150A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CC427 mov eax, dword ptr fs:[00000030h] 4_2_014CC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CE420 mov eax, dword ptr fs:[00000030h] 4_2_014CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CE420 mov eax, dword ptr fs:[00000030h] 4_2_014CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CE420 mov eax, dword ptr fs:[00000030h] 4_2_014CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01556420 mov eax, dword ptr fs:[00000030h] 4_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01556420 mov eax, dword ptr fs:[00000030h] 4_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01556420 mov eax, dword ptr fs:[00000030h] 4_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01556420 mov eax, dword ptr fs:[00000030h] 4_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01556420 mov eax, dword ptr fs:[00000030h] 4_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01556420 mov eax, dword ptr fs:[00000030h] 4_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01556420 mov eax, dword ptr fs:[00000030h] 4_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D04E5 mov ecx, dword ptr fs:[00000030h] 4_2_014D04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0158A49A mov eax, dword ptr fs:[00000030h] 4_2_0158A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015044B0 mov ecx, dword ptr fs:[00000030h] 4_2_015044B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155A4B0 mov eax, dword ptr fs:[00000030h] 4_2_0155A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D64AB mov eax, dword ptr fs:[00000030h] 4_2_014D64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01554755 mov eax, dword ptr fs:[00000030h] 4_2_01554755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512750 mov eax, dword ptr fs:[00000030h] 4_2_01512750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512750 mov eax, dword ptr fs:[00000030h] 4_2_01512750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155E75D mov eax, dword ptr fs:[00000030h] 4_2_0155E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D0750 mov eax, dword ptr fs:[00000030h] 4_2_014D0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150674D mov esi, dword ptr fs:[00000030h] 4_2_0150674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150674D mov eax, dword ptr fs:[00000030h] 4_2_0150674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150674D mov eax, dword ptr fs:[00000030h] 4_2_0150674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D8770 mov eax, dword ptr fs:[00000030h] 4_2_014D8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0770 mov eax, dword ptr fs:[00000030h] 4_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01500710 mov eax, dword ptr fs:[00000030h] 4_2_01500710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150C700 mov eax, dword ptr fs:[00000030h] 4_2_0150C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D0710 mov eax, dword ptr fs:[00000030h] 4_2_014D0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154C730 mov eax, dword ptr fs:[00000030h] 4_2_0154C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150273C mov eax, dword ptr fs:[00000030h] 4_2_0150273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150273C mov ecx, dword ptr fs:[00000030h] 4_2_0150273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150273C mov eax, dword ptr fs:[00000030h] 4_2_0150273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150C720 mov eax, dword ptr fs:[00000030h] 4_2_0150C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150C720 mov eax, dword ptr fs:[00000030h] 4_2_0150C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DC7C0 mov eax, dword ptr fs:[00000030h] 4_2_014DC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015507C3 mov eax, dword ptr fs:[00000030h] 4_2_015507C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F27ED mov eax, dword ptr fs:[00000030h] 4_2_014F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F27ED mov eax, dword ptr fs:[00000030h] 4_2_014F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F27ED mov eax, dword ptr fs:[00000030h] 4_2_014F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155E7E1 mov eax, dword ptr fs:[00000030h] 4_2_0155E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D47FB mov eax, dword ptr fs:[00000030h] 4_2_014D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D47FB mov eax, dword ptr fs:[00000030h] 4_2_014D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157678E mov eax, dword ptr fs:[00000030h] 4_2_0157678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D07AF mov eax, dword ptr fs:[00000030h] 4_2_014D07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015847A0 mov eax, dword ptr fs:[00000030h] 4_2_015847A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EC640 mov eax, dword ptr fs:[00000030h] 4_2_014EC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01502674 mov eax, dword ptr fs:[00000030h] 4_2_01502674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A660 mov eax, dword ptr fs:[00000030h] 4_2_0150A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A660 mov eax, dword ptr fs:[00000030h] 4_2_0150A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159866E mov eax, dword ptr fs:[00000030h] 4_2_0159866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159866E mov eax, dword ptr fs:[00000030h] 4_2_0159866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E260B mov eax, dword ptr fs:[00000030h] 4_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E260B mov eax, dword ptr fs:[00000030h] 4_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E260B mov eax, dword ptr fs:[00000030h] 4_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E260B mov eax, dword ptr fs:[00000030h] 4_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E260B mov eax, dword ptr fs:[00000030h] 4_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E260B mov eax, dword ptr fs:[00000030h] 4_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E260B mov eax, dword ptr fs:[00000030h] 4_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01512619 mov eax, dword ptr fs:[00000030h] 4_2_01512619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E609 mov eax, dword ptr fs:[00000030h] 4_2_0154E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D262C mov eax, dword ptr fs:[00000030h] 4_2_014D262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014EE627 mov eax, dword ptr fs:[00000030h] 4_2_014EE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01506620 mov eax, dword ptr fs:[00000030h] 4_2_01506620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01508620 mov eax, dword ptr fs:[00000030h] 4_2_01508620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A6C7 mov ebx, dword ptr fs:[00000030h] 4_2_0150A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A6C7 mov eax, dword ptr fs:[00000030h] 4_2_0150A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015506F1 mov eax, dword ptr fs:[00000030h] 4_2_015506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015506F1 mov eax, dword ptr fs:[00000030h] 4_2_015506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0154E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0154E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0154E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0154E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D4690 mov eax, dword ptr fs:[00000030h] 4_2_014D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D4690 mov eax, dword ptr fs:[00000030h] 4_2_014D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015066B0 mov eax, dword ptr fs:[00000030h] 4_2_015066B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150C6A6 mov eax, dword ptr fs:[00000030h] 4_2_0150C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01550946 mov eax, dword ptr fs:[00000030h] 4_2_01550946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4940 mov eax, dword ptr fs:[00000030h] 4_2_015A4940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155C97C mov eax, dword ptr fs:[00000030h] 4_2_0155C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F6962 mov eax, dword ptr fs:[00000030h] 4_2_014F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F6962 mov eax, dword ptr fs:[00000030h] 4_2_014F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F6962 mov eax, dword ptr fs:[00000030h] 4_2_014F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01574978 mov eax, dword ptr fs:[00000030h] 4_2_01574978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01574978 mov eax, dword ptr fs:[00000030h] 4_2_01574978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0151096E mov eax, dword ptr fs:[00000030h] 4_2_0151096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0151096E mov edx, dword ptr fs:[00000030h] 4_2_0151096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0151096E mov eax, dword ptr fs:[00000030h] 4_2_0151096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155C912 mov eax, dword ptr fs:[00000030h] 4_2_0155C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C8918 mov eax, dword ptr fs:[00000030h] 4_2_014C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C8918 mov eax, dword ptr fs:[00000030h] 4_2_014C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E908 mov eax, dword ptr fs:[00000030h] 4_2_0154E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154E908 mov eax, dword ptr fs:[00000030h] 4_2_0154E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0156892B mov eax, dword ptr fs:[00000030h] 4_2_0156892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155892A mov eax, dword ptr fs:[00000030h] 4_2_0155892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015049D0 mov eax, dword ptr fs:[00000030h] 4_2_015049D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159A9D3 mov eax, dword ptr fs:[00000030h] 4_2_0159A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015669C0 mov eax, dword ptr fs:[00000030h] 4_2_015669C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DA9D0 mov eax, dword ptr fs:[00000030h] 4_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015029F9 mov eax, dword ptr fs:[00000030h] 4_2_015029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015029F9 mov eax, dword ptr fs:[00000030h] 4_2_015029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155E9E0 mov eax, dword ptr fs:[00000030h] 4_2_0155E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D09AD mov eax, dword ptr fs:[00000030h] 4_2_014D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D09AD mov eax, dword ptr fs:[00000030h] 4_2_014D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015589B3 mov esi, dword ptr fs:[00000030h] 4_2_015589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015589B3 mov eax, dword ptr fs:[00000030h] 4_2_015589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015589B3 mov eax, dword ptr fs:[00000030h] 4_2_015589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E29A0 mov eax, dword ptr fs:[00000030h] 4_2_014E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01500854 mov eax, dword ptr fs:[00000030h] 4_2_01500854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E2840 mov ecx, dword ptr fs:[00000030h] 4_2_014E2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D4859 mov eax, dword ptr fs:[00000030h] 4_2_014D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D4859 mov eax, dword ptr fs:[00000030h] 4_2_014D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01566870 mov eax, dword ptr fs:[00000030h] 4_2_01566870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01566870 mov eax, dword ptr fs:[00000030h] 4_2_01566870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155E872 mov eax, dword ptr fs:[00000030h] 4_2_0155E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155E872 mov eax, dword ptr fs:[00000030h] 4_2_0155E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155C810 mov eax, dword ptr fs:[00000030h] 4_2_0155C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150A830 mov eax, dword ptr fs:[00000030h] 4_2_0150A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157483A mov eax, dword ptr fs:[00000030h] 4_2_0157483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157483A mov eax, dword ptr fs:[00000030h] 4_2_0157483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F2835 mov eax, dword ptr fs:[00000030h] 4_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F2835 mov eax, dword ptr fs:[00000030h] 4_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F2835 mov eax, dword ptr fs:[00000030h] 4_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F2835 mov ecx, dword ptr fs:[00000030h] 4_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F2835 mov eax, dword ptr fs:[00000030h] 4_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F2835 mov eax, dword ptr fs:[00000030h] 4_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FE8C0 mov eax, dword ptr fs:[00000030h] 4_2_014FE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A08C0 mov eax, dword ptr fs:[00000030h] 4_2_015A08C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150C8F9 mov eax, dword ptr fs:[00000030h] 4_2_0150C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150C8F9 mov eax, dword ptr fs:[00000030h] 4_2_0150C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159A8E4 mov eax, dword ptr fs:[00000030h] 4_2_0159A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155C89D mov eax, dword ptr fs:[00000030h] 4_2_0155C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D0887 mov eax, dword ptr fs:[00000030h] 4_2_014D0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157EB50 mov eax, dword ptr fs:[00000030h] 4_2_0157EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A2B57 mov eax, dword ptr fs:[00000030h] 4_2_015A2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A2B57 mov eax, dword ptr fs:[00000030h] 4_2_015A2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A2B57 mov eax, dword ptr fs:[00000030h] 4_2_015A2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A2B57 mov eax, dword ptr fs:[00000030h] 4_2_015A2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01584B4B mov eax, dword ptr fs:[00000030h] 4_2_01584B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01584B4B mov eax, dword ptr fs:[00000030h] 4_2_01584B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01578B42 mov eax, dword ptr fs:[00000030h] 4_2_01578B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01566B40 mov eax, dword ptr fs:[00000030h] 4_2_01566B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01566B40 mov eax, dword ptr fs:[00000030h] 4_2_01566B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0159AB40 mov eax, dword ptr fs:[00000030h] 4_2_0159AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014C8B50 mov eax, dword ptr fs:[00000030h] 4_2_014C8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014CCB7E mov eax, dword ptr fs:[00000030h] 4_2_014CCB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154EB1D mov eax, dword ptr fs:[00000030h] 4_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154EB1D mov eax, dword ptr fs:[00000030h] 4_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154EB1D mov eax, dword ptr fs:[00000030h] 4_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154EB1D mov eax, dword ptr fs:[00000030h] 4_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154EB1D mov eax, dword ptr fs:[00000030h] 4_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154EB1D mov eax, dword ptr fs:[00000030h] 4_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154EB1D mov eax, dword ptr fs:[00000030h] 4_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154EB1D mov eax, dword ptr fs:[00000030h] 4_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154EB1D mov eax, dword ptr fs:[00000030h] 4_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_015A4B00 mov eax, dword ptr fs:[00000030h] 4_2_015A4B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FEB20 mov eax, dword ptr fs:[00000030h] 4_2_014FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FEB20 mov eax, dword ptr fs:[00000030h] 4_2_014FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01598B28 mov eax, dword ptr fs:[00000030h] 4_2_01598B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01598B28 mov eax, dword ptr fs:[00000030h] 4_2_01598B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D0BCD mov eax, dword ptr fs:[00000030h] 4_2_014D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D0BCD mov eax, dword ptr fs:[00000030h] 4_2_014D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D0BCD mov eax, dword ptr fs:[00000030h] 4_2_014D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F0BCB mov eax, dword ptr fs:[00000030h] 4_2_014F0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F0BCB mov eax, dword ptr fs:[00000030h] 4_2_014F0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F0BCB mov eax, dword ptr fs:[00000030h] 4_2_014F0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157EBD0 mov eax, dword ptr fs:[00000030h] 4_2_0157EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155CBF0 mov eax, dword ptr fs:[00000030h] 4_2_0155CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FEBFC mov eax, dword ptr fs:[00000030h] 4_2_014FEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D8BF0 mov eax, dword ptr fs:[00000030h] 4_2_014D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D8BF0 mov eax, dword ptr fs:[00000030h] 4_2_014D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D8BF0 mov eax, dword ptr fs:[00000030h] 4_2_014D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01584BB0 mov eax, dword ptr fs:[00000030h] 4_2_01584BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01584BB0 mov eax, dword ptr fs:[00000030h] 4_2_01584BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0BBE mov eax, dword ptr fs:[00000030h] 4_2_014E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0BBE mov eax, dword ptr fs:[00000030h] 4_2_014E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0A5B mov eax, dword ptr fs:[00000030h] 4_2_014E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014E0A5B mov eax, dword ptr fs:[00000030h] 4_2_014E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6A50 mov eax, dword ptr fs:[00000030h] 4_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6A50 mov eax, dword ptr fs:[00000030h] 4_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6A50 mov eax, dword ptr fs:[00000030h] 4_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6A50 mov eax, dword ptr fs:[00000030h] 4_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6A50 mov eax, dword ptr fs:[00000030h] 4_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6A50 mov eax, dword ptr fs:[00000030h] 4_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D6A50 mov eax, dword ptr fs:[00000030h] 4_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154CA72 mov eax, dword ptr fs:[00000030h] 4_2_0154CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0154CA72 mov eax, dword ptr fs:[00000030h] 4_2_0154CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0157EA60 mov eax, dword ptr fs:[00000030h] 4_2_0157EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150CA6F mov eax, dword ptr fs:[00000030h] 4_2_0150CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150CA6F mov eax, dword ptr fs:[00000030h] 4_2_0150CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150CA6F mov eax, dword ptr fs:[00000030h] 4_2_0150CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0155CA11 mov eax, dword ptr fs:[00000030h] 4_2_0155CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014FEA2E mov eax, dword ptr fs:[00000030h] 4_2_014FEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150CA38 mov eax, dword ptr fs:[00000030h] 4_2_0150CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150CA24 mov eax, dword ptr fs:[00000030h] 4_2_0150CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F4A35 mov eax, dword ptr fs:[00000030h] 4_2_014F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014F4A35 mov eax, dword ptr fs:[00000030h] 4_2_014F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01504AD0 mov eax, dword ptr fs:[00000030h] 4_2_01504AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01504AD0 mov eax, dword ptr fs:[00000030h] 4_2_01504AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014D0AD0 mov eax, dword ptr fs:[00000030h] 4_2_014D0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01526ACC mov eax, dword ptr fs:[00000030h] 4_2_01526ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01526ACC mov eax, dword ptr fs:[00000030h] 4_2_01526ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01526ACC mov eax, dword ptr fs:[00000030h] 4_2_01526ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150AAEE mov eax, dword ptr fs:[00000030h] 4_2_0150AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_0150AAEE mov eax, dword ptr fs:[00000030h] 4_2_0150AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_01508A90 mov edx, dword ptr fs:[00000030h] 4_2_01508A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DEA80 mov eax, dword ptr fs:[00000030h] 4_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4_2_014DEA80 mov eax, dword ptr fs:[00000030h] 4_2_014DEA80
Enables debug privileges
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry EBS# 82785.exe"
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry EBS# 82785.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtWriteVirtualMemory: Direct from: 0x77762E3C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtMapViewOfSection: Direct from: 0x77762D1C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtNotifyChangeKey: Direct from: 0x77763C2C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtCreateMutant: Direct from: 0x777635CC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtResumeThread: Direct from: 0x777636AC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtProtectVirtualMemory: Direct from: 0x77757B2E Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtQuerySystemInformation: Direct from: 0x77762DFC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtAllocateVirtualMemory: Direct from: 0x77762BFC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtReadFile: Direct from: 0x77762ADC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtDelayExecution: Direct from: 0x77762DDC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtWriteVirtualMemory: Direct from: 0x7776490C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtQueryInformationProcess: Direct from: 0x77762C26 Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtResumeThread: Direct from: 0x77762FBC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtCreateUserProcess: Direct from: 0x7776371C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtSetInformationThread: Direct from: 0x777563F9 Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtAllocateVirtualMemory: Direct from: 0x77763C9C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtSetInformationThread: Direct from: 0x77762B4C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtQueryAttributesFile: Direct from: 0x77762E6C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtReadVirtualMemory: Direct from: 0x77762E8C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtCreateKey: Direct from: 0x77762C6C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtQuerySystemInformation: Direct from: 0x777648CC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtAllocateVirtualMemory: Direct from: 0x777648EC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtQueryVolumeInformationFile: Direct from: 0x77762F2C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtOpenSection: Direct from: 0x77762E0C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtDeviceIoControlFile: Direct from: 0x77762AEC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtAllocateVirtualMemory: Direct from: 0x77762BEC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtQueryInformationToken: Direct from: 0x77762CAC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtTerminateThread: Direct from: 0x77762FCC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtCreateFile: Direct from: 0x77762FEC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtOpenFile: Direct from: 0x77762DCC Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtOpenKeyEx: Direct from: 0x77762B9C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtSetInformationProcess: Direct from: 0x77762C5C Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe NtProtectVirtualMemory: Direct from: 0x77762F9C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: NULL target: C:\Windows\SysWOW64\iexpress.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: NULL target: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: NULL target: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\iexpress.exe Thread register set: target process: 7644 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\iexpress.exe Thread APC queued: target process: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\inquiry EBS# 82785.exe" Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Program Files (x86)\IxomXFNfjAqbdkBATZPViqvQCuLxJYOyhTqHleVCYbVam\hbfEEdNoiUG.exe Process created: C:\Windows\SysWOW64\iexpress.exe "C:\Windows\SysWOW64\iexpress.exe" Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: hbfEEdNoiUG.exe, 0000000F.00000000.1347756306.0000000001010000.00000002.00000001.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000002.3711253821.0000000001010000.00000002.00000001.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3711589502.00000000016B0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: hbfEEdNoiUG.exe, 0000000F.00000000.1347756306.0000000001010000.00000002.00000001.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000002.3711253821.0000000001010000.00000002.00000001.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3711589502.00000000016B0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: hbfEEdNoiUG.exe, 0000000F.00000000.1347756306.0000000001010000.00000002.00000001.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000002.3711253821.0000000001010000.00000002.00000001.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3711589502.00000000016B0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: ?Program Manager
Source: hbfEEdNoiUG.exe, 0000000F.00000000.1347756306.0000000001010000.00000002.00000001.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 0000000F.00000002.3711253821.0000000001010000.00000002.00000001.00040000.00000000.sdmp, hbfEEdNoiUG.exe, 00000014.00000002.3711589502.00000000016B0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Queries volume information: C:\Users\user\Desktop\inquiry EBS# 82785.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\inquiry EBS# 82785.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1435453576.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3695841773.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3714642969.00000000054D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3712098478.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1438597703.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3712203175.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1438447735.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3712340508.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\iexpress.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\iexpress.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\iexpress.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1435453576.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3695841773.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3714642969.00000000054D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3712098478.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1438597703.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3712203175.0000000004CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1438447735.0000000001830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3712340508.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447917 Sample: inquiry EBS# 82785.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 32 www.ycwtch.co.uk 2->32 34 www.pricekaboom.com 2->34 36 21 other IPs or domains 2->36 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 8 other signatures 2->52 10 inquiry EBS# 82785.exe 4 2->10         started        signatures3 process4 signatures5 62 Adds a directory exclusion to Windows Defender 10->62 13 RegSvcs.exe 10->13         started        16 powershell.exe 23 10->16         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 18 hbfEEdNoiUG.exe 13->18 injected 68 Loading BitLocker PowerShell Module 16->68 21 conhost.exe 16->21         started        process8 signatures9 44 Found direct / indirect Syscall (likely to bypass EDR) 18->44 23 iexpress.exe 13 18->23         started        process10 signatures11 54 Tries to steal Mail credentials (via file / registry access) 23->54 56 Tries to harvest and steal browser information (history, passwords, etc) 23->56 58 Modifies the context of a thread in another process (thread injection) 23->58 60 2 other signatures 23->60 26 hbfEEdNoiUG.exe 23->26 injected 30 firefox.exe 23->30         started        process12 dnsIp13 38 pricekaboom.com 185.31.240.240, 49712, 80 ZONEZoneMediaOUEE Estonia 26->38 40 www.0bi8.fun 107.151.241.58, 59274, 59275, 59276 VPSQUANUS United States 26->40 42 7 other IPs or domains 26->42 64 Found direct / indirect Syscall (likely to bypass EDR) 26->64 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.81.34
 www.drednents.es United States
13335 CLOUDFLARENETUS false
185.31.240.240
 pricekaboom.com Estonia
49604 ZONEZoneMediaOUEE false
198.177.123.106
 www.touchdres.top United States
395681 FINALFRONTIERVG false
107.151.241.58
 www.0bi8.fun United States
62468 VPSQUANUS false
34.149.87.45
 td-ccm-neg-87-45.wixdns.net United States
2686 ATGS-MMD-ASUS false
194.58.112.174
 www.yamlex.ru Russian Federation
197695 AS-REGRU false
103.28.36.189
 omilux.vn Viet Nam
131353 NHANHOA-AS-VNNhanHoaSoftwarecompanyVN false
3.33.130.190
 duobao698.com United States
8987 AMAZONEXPANSIONGB false
212.227.172.254
 www.shopnaya.fr Germany
8560 ONEANDONE-ASBrauerstrasse48DE false

Contacted Domains

Name IP Active
www.yamlex.ru 194.58.112.174 true
duobao698.com 3.33.130.190 true
www.shopnaya.fr 212.227.172.254 true
pricekaboom.com 185.31.240.240 true
td-ccm-neg-87-45.wixdns.net 34.149.87.45 true
chillingtime.shop 3.33.130.190 true
galatalosangeles.org 3.33.130.190 true
www.drednents.es 104.21.81.34 true
www.0bi8.fun 107.151.241.58 true
omilux.vn 103.28.36.189 true
hilfe24x7.de 3.33.130.190 true
www.touchdres.top 198.177.123.106 true
geltipleasure.com 3.33.130.190 true
www.omilux.vn unknown unknown
www.birthingwitht.com unknown unknown
www.pricekaboom.com unknown unknown
www.duobao698.com unknown unknown
www.ycwtch.co.uk unknown unknown
www.galatalosangeles.org unknown unknown
www.chillingtime.shop unknown unknown
www.geltipleasure.com unknown unknown
www.hilfe24x7.de unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.shopnaya.fr/7skl/ false
  • Avira URL Cloud: safe
 unknown
http://www.touchdres.top/hjqs/ false
  • Avira URL Cloud: safe
 unknown
http://www.geltipleasure.com/8vpj/ false
  • Avira URL Cloud: safe
 unknown
http://www.birthingwitht.com/v0eo/ false
  • Avira URL Cloud: safe
 unknown
http://www.galatalosangeles.org/v7f6/?MNodJD8p=XF4qeg9ZZgTAThyVlalCdKNU99LfXS2lLMZLa1YAu2kMLhYluJ+1/4qiQDOp90UUak+QbyH64omdN7gzrQa5FaRBbg95DUa8jSSlfRAmfeyBeU+cpFm8YfZCh5mA/E+0k6dMbGsvvroL&f4=xxLl5tHp-byppxH false
  • Avira URL Cloud: safe
 unknown
http://www.drednents.es/z86o/ false
  • Avira URL Cloud: safe
 unknown
http://www.touchdres.top/hjqs/?f4=xxLl5tHp-byppxH&MNodJD8p=5qGwR/efmPt/I6Ynz6AqB74GuZv+m8IAYAQ4rwOKHDcf/eaPG6yHH9N9SqcPE5LhBkrMW/1fhU0AkMcaTSWt5r3v+QyKYKY8hdB1xYhSZ8o8wTivSleoUXQcrXTUVIgWubI9r3mYr34W false
  • Avira URL Cloud: safe
 unknown
http://www.0bi8.fun/bjqr/?f4=xxLl5tHp-byppxH&MNodJD8p=gV3rr7jqPVIv1Mn/lEpKIewKkib7Fcul04Jd32/fmw2k/EH2FaAQks6L8J0asfE6jsJhPUd3WUfcv1S8rbU6nGqSEFtTbFoUTPdBAPE1L3Zw4OEG+thjvk7ioWrFkV00ho6iarHOpTEe false
  • Avira URL Cloud: safe
 unknown
http://www.omilux.vn/hrz3/ false
  • Avira URL Cloud: safe
 unknown
http://www.0bi8.fun/bjqr/ false
  • Avira URL Cloud: safe
 unknown
http://www.geltipleasure.com/8vpj/?f4=xxLl5tHp-byppxH&MNodJD8p=PND0ETKqlieTTeqinVoOdoMDGkM5Odo4sqg2s5YxFKdh6CPUHw2tTMKdV9M9FPP1W5xV4FYCql8AQrim1T6KQKabV5DPdnWB0A0Xkl8YOGjv4J+ZuCok4XgXnh6EsXJFAwVfNVgHNN7O false
  • Avira URL Cloud: safe
 unknown
http://www.birthingwitht.com/v0eo/?MNodJD8p=53hfMKMEN3GhcMKa3FD3GzP2+NOMOkRil+RTINeunm9wIq1fivMeg2WaHp19Pt0EnqgBYyGRdzAlBNzF4cJsjA2PPFb1LRhEuRJejr6Fp+RggyN+VxffrmtVRKuIz6NLG42mGA2FBBi+&f4=xxLl5tHp-byppxH false
  • Avira URL Cloud: safe
 unknown
http://www.yamlex.ru/ji0p/ false
  • Avira URL Cloud: safe
 unknown
http://www.duobao698.com/b5mo/ false
  • Avira URL Cloud: malware
 unknown
http://www.chillingtime.shop/e6fw/ false
  • Avira URL Cloud: safe
 unknown
http://www.galatalosangeles.org/v7f6/ false
  • Avira URL Cloud: safe
 unknown
http://www.duobao698.com/b5mo/?f4=xxLl5tHp-byppxH&MNodJD8p=YF33wiUQP61+bcRucpXfP2bszl+S1jXxxa03lm8i9Cm6yh/X5E/MKQF3SqHNMSDah8acWmTXWKI80zfQn0GR7e3o5MjoaLzb9IV74TF38aXM2/s/Vr42kQEqdr4drO8NCxauOi017rm8 false
  • Avira URL Cloud: malware
 unknown
http://www.drednents.es/z86o/?MNodJD8p=Ojnz0Kg7atrxNq8YCu+svyw5JWMM1LKejTFIWEVqDJTsr8k/Cp/y34hmBl88WC07fa4Gfm/DSv1MHu4JYtU+JFgy+UqwczkQfuHRwTZ5WPzaTNzF4FwHRgOY2DJ/mTb+46Ki7EnPzQiQ&f4=xxLl5tHp-byppxH false
  • Avira URL Cloud: safe
 unknown
http://www.shopnaya.fr/7skl/?f4=xxLl5tHp-byppxH&MNodJD8p=dTL83zpU0xQ9edv6OGiX5dEIo4WZrMM8fLl2Krrsxam7NAcpt0Es3EGDcNMssM7b8wua4BB6pAKcVugLPNxCMOYttcIT7GyMy0e3JishaTIPS+4u6tMJjGSu/0BLy0AvAJTG8pRcvlin false
  • Avira URL Cloud: safe
 unknown
http://www.pricekaboom.com/88is/?f4=xxLl5tHp-byppxH&MNodJD8p=Et7jFQQESHR6QMcH21WFfBueb87jCDciOXesV2PUTY+phHzqwibAOf6k5ayeI+rSGw4JUshP7eT3Dg0I6eQ+O8WQlCHWQqse33D+WHaqsKhBys2QaUSMPkBSAmePUjZQCr8qbSgJVbhV false
  • Avira URL Cloud: malware
 unknown
http://www.yamlex.ru/ji0p/?MNodJD8p=xXD9CQ3N7xKDLchfMZiKEzPna0191/2yPXYla/3jou9aJjDG40/AHObgd4ksmL/dNcSWCZmrHM/RDWoQ1OVMTJmDIfJC0DRY8vTyfwkh08Xc3obI9sRDXMdHo4KaM9QY8Uf5asICqepP&f4=xxLl5tHp-byppxH false
  • Avira URL Cloud: safe
 unknown
http://www.chillingtime.shop/e6fw/?f4=xxLl5tHp-byppxH&MNodJD8p=n5dESxf/cXtX+IWK1PHyu1L8TFflxVgasmaJS2CdKaZYGchug9mh5pyHlytVKDb3Cg5u6YFnb48YkM5fb7pMgDgbFs0i5g+O9MKB2IOkFyIMxqAROkXgP4I/Dc/XYjPAbEAcXqhbTswY false
  • Avira URL Cloud: safe
 unknown
http://www.hilfe24x7.de/vrn9/ false
  • Avira URL Cloud: safe
 unknown
http://www.ycwtch.co.uk/kpja/ false
  • Avira URL Cloud: malware
 unknown