Windows Analysis Report PO STS_2184_06_2024.exe

AI detected suspicious sample

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO STS_2184_06_2024.exe

Joe Sandbox ML: detected

Compliance

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Unpacked PE file: 0.2.PO STS_2184_06_2024.exe.850000.0.unpack

Found inlined nop instructions (likely shell or obfuscated code)

Source: PO STS_2184_06_2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO STS_2184_06_2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.2630988544.0000000001270000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.2630988544.0000000001270000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04CE1AA0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04CE569D
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_04CE580C
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04CE580C
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_04CE5818
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04CE5818
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then xor edx, edx	0_2_04CE5A65
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then xor edx, edx	0_2_04CE5A70
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_04CE5B2D
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04CE5B2D
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_04CE5B38
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04CE5B38
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_052BB798
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_052B9CFC

Source: PO STS_2184_06_2024.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO STS_2184_06_2024.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO STS_2184_06_2024.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO STS_2184_06_2024.exe, 00000000.00000002.2186793071.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO STS_2184_06_2024.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.PO STS_2184_06_2024.exe.4cc0000.10.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 0.2.PO STS_2184_06_2024.exe.2c9ab9c.2.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0042B2F3 NtClose,	5_2_0042B2F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2B60 NtClose,LdrInitializeThunk,	5_2_012E2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_012E2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_012E2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E35C0 NtCreateMutant,LdrInitializeThunk,	5_2_012E35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E4340 NtSetContextThread,	5_2_012E4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E4650 NtSuspendThread,	5_2_012E4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2BA0 NtEnumerateValueKey,	5_2_012E2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2B80 NtQueryInformationFile,	5_2_012E2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2BE0 NtQueryValueKey,	5_2_012E2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2BF0 NtAllocateVirtualMemory,	5_2_012E2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2AB0 NtWaitForSingleObject,	5_2_012E2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2AF0 NtWriteFile,	5_2_012E2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2AD0 NtReadFile,	5_2_012E2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2D30 NtUnmapViewOfSection,	5_2_012E2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2D00 NtSetInformationFile,	5_2_012E2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2D10 NtMapViewOfSection,	5_2_012E2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2DB0 NtEnumerateKey,	5_2_012E2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2DD0 NtDelayExecution,	5_2_012E2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2C00 NtQueryInformationProcess,	5_2_012E2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2C60 NtCreateKey,	5_2_012E2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2CA0 NtQueryInformationToken,	5_2_012E2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2CF0 NtOpenProcess,	5_2_012E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2CC0 NtQueryVirtualMemory,	5_2_012E2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2F30 NtCreateSection,	5_2_012E2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2F60 NtCreateProcessEx,	5_2_012E2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2FA0 NtQuerySection,	5_2_012E2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2FB0 NtResumeThread,	5_2_012E2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2F90 NtProtectVirtualMemory,	5_2_012E2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2FE0 NtCreateFile,	5_2_012E2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2E30 NtWriteVirtualMemory,	5_2_012E2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2EA0 NtAdjustPrivilegesToken,	5_2_012E2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2E80 NtReadVirtualMemory,	5_2_012E2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2EE0 NtQueueApcThread,	5_2_012E2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E3010 NtOpenDirectoryObject,	5_2_012E3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E3090 NtSetValueKey,	5_2_012E3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E39B0 NtGetContextThread,	5_2_012E39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E3D10 NtOpenProcessToken,	5_2_012E3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E3D70 NtOpenThread,	5_2_012E3D70

Detected potential crypto function

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB1378	0_2_02AB1378
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB2671	0_2_02AB2671
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB3598	0_2_02AB3598
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB1BD0	0_2_02AB1BD0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB52F8	0_2_02AB52F8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB12F0	0_2_02AB12F0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB20D1	0_2_02AB20D1
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5720	0_2_02AB5720
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5730	0_2_02AB5730
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB34A1	0_2_02AB34A1
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB4460	0_2_02AB4460
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB4470	0_2_02AB4470
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5B01	0_2_02AB5B01
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5B10	0_2_02AB5B10
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB58E8	0_2_02AB58E8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB58D8	0_2_02AB58D8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB08D0	0_2_02AB08D0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB4FE8	0_2_02AB4FE8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB4FD9	0_2_02AB4FD9
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5D00	0_2_02AB5D00
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE2458	0_2_04CE2458
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE67C8	0_2_04CE67C8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE7158	0_2_04CE7158
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEACF0	0_2_04CEACF0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE244F	0_2_04CE244F
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE25EB	0_2_04CE25EB
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE67B8	0_2_04CE67B8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0040	0_2_04CE0040
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEE1C8	0_2_04CEE1C8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEE1D8	0_2_04CEE1D8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE7148	0_2_04CE7148
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0120	0_2_04CE0120
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0130	0_2_04CE0130
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE02B1	0_2_04CE02B1
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE620A	0_2_04CE620A
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE6218	0_2_04CE6218
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEACE0	0_2_04CEACE0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0C6B	0_2_04CE0C6B
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0C78	0_2_04CE0C78
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE2D88	0_2_04CE2D88
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE2D98	0_2_04CE2D98
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEDDA0	0_2_04CEDDA0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEF880	0_2_04CEF880
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE2980	0_2_04CE2980
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CED958	0_2_04CED958
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE4BC0	0_2_04CE4BC0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE4BB0	0_2_04CE4BB0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052B8B4A	0_2_052B8B4A
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052B6B4C	0_2_052B6B4C
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052B8B58	0_2_052B8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00410013	5_2_00410013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004010EA	5_2_004010EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004010F0	5_2_004010F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040E093	5_2_0040E093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00404945	5_2_00404945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004012A0	5_2_004012A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402B71	5_2_00402B71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00403310	5_2_00403310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402B80	5_2_00402B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004014D0	5_2_004014D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004024E0	5_2_004024E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040FDF3	5_2_0040FDF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041675E	5_2_0041675E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00416763	5_2_00416763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0042D733	5_2_0042D733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402F88	5_2_00402F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402F90	5_2_00402F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0100	5_2_012A0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01338158	5_2_01338158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013641A2	5_2_013641A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013701AA	5_2_013701AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013681CC	5_2_013681CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136A352	5_2_0136A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013703E6	5_2_013703E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE3F0	5_2_012BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013302C0	5_2_013302C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01370591	5_2_01370591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354420	5_2_01354420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01362446	5_2_01362446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135E4F6	5_2_0135E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4750	5_2_012D4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AC7C0	5_2_012AC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CC6E0	5_2_012CC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C6962	5_2_012C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0137A9A6	5_2_0137A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BA840	5_2_012BA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B2840	5_2_012B2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012968B8	5_2_012968B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE8F0	5_2_012DE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136AB40	5_2_0136AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01366BD7	5_2_01366BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BAD00	5_2_012BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134CD1F	5_2_0134CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C8DBF	5_2_012C8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AADE0	5_2_012AADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0C00	5_2_012B0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350CB5	5_2_01350CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0CF2	5_2_012A0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01352F30	5_2_01352F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F2F28	5_2_012F2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D0F30	5_2_012D0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01324F40	5_2_01324F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132EFA0	5_2_0132EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BCFE0	5_2_012BCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A2FC8	5_2_012A2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136EE26	5_2_0136EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0E59	5_2_012B0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136CE93	5_2_0136CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2E90	5_2_012C2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136EEDB	5_2_0136EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E516C	5_2_012E516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129F172	5_2_0129F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0137B16B	5_2_0137B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BB1B0	5_2_012BB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136F0E0	5_2_0136F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013670E9	5_2_013670E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B70C0	5_2_012B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135F0CC	5_2_0135F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136132D	5_2_0136132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129D34C	5_2_0129D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F739A	5_2_012F739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B52A0	5_2_012B52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013512ED	5_2_013512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CB2C0	5_2_012CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01367571	5_2_01367571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134D5B0	5_2_0134D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136F43F	5_2_0136F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A1460	5_2_012A1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136F7B0	5_2_0136F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013616CC	5_2_013616CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01345910	5_2_01345910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B9950	5_2_012B9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CB950	5_2_012CB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131D800	5_2_0131D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B38E0	5_2_012B38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FB76	5_2_0136FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CFB80	5_2_012CFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01325BF0	5_2_01325BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012EDBF9	5_2_012EDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01323A6C	5_2_01323A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01367A46	5_2_01367A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FA49	5_2_0136FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F5AA0	5_2_012F5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01351AA3	5_2_01351AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134DAAC	5_2_0134DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135DAC6	5_2_0135DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01367D73	5_2_01367D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B3D40	5_2_012B3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01361D5A	5_2_01361D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CFDC0	5_2_012CFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01329C32	5_2_01329C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FCF2	5_2_0136FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FF09	5_2_0136FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FFB1	5_2_0136FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B1F92	5_2_012B1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01273FD5	5_2_01273FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01273FD2	5_2_01273FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B9EB0	5_2_012B9EB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0129B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012E5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012F7E54 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0132F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0131EA12 appears 86 times

PE / OLE file has an invalid certificate

Source: PO STS_2184_06_2024.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: PO STS_2184_06_2024.exe, 00000000.00000002.2185411365.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe, 00000000.00000002.2201729243.0000000005310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe, 00000000.00000002.2197738822.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe, 00000000.00000000.2142957897.0000000000956000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAlqG.exe, vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe, 00000000.00000002.2186793071.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe	Binary or memory string: OriginalFilenameAlqG.exe, vs PO STS_2184_06_2024.exe

Source: PO STS_2184_06_2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: PO STS_2184_06_2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.PO STS_2184_06_2024.exe.2f426e0.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PO STS_2184_06_2024.exe.2f618ac.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PO STS_2184_06_2024.exe.4d00000.12.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/6@0/0

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO STS_2184_06_2024.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3516:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rgiecup.p4s.ps1

Source: PO STS_2184_06_2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO STS_2184_06_2024.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: PO STS_2184_06_2024.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\PO STS_2184_06_2024.exe "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Detected unpacking (changes PE section rights)

Source: PO STS_2184_06_2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO STS_2184_06_2024.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PO STS_2184_06_2024.exe

Static file information: File size 1101320 > 1048576

Source: PO STS_2184_06_2024.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x103000

Source: PO STS_2184_06_2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.2630988544.0000000001270000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.2630988544.0000000001270000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Unpacked PE file: 0.2.PO STS_2184_06_2024.exe.850000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

.NET source code contains potential unpacker

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Unpacked PE file: 0.2.PO STS_2184_06_2024.exe.850000.0.unpack

Source: 0.2.PO STS_2184_06_2024.exe.4cc0000.10.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.4cc0000.10.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	.Net Code: YDdGB0QSNY System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	.Net Code: YDdGB0QSNY System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.2c9ab9c.2.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.2c9ab9c.2.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	.Net Code: YDdGB0QSNY System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: PO STS_2184_06_2024.exe

Static PE information: 0xF73DDA15 [Sun Jun 12 13:24:37 2101 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_008523C2 push ebx; retf	0_2_008523C3
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE04E8 push esp; ret	0_2_04CE04E9
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0E81 push 8BBCEB50h; ret	0_2_04CE0E87
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052B2610 pushfd ; ret	0_2_052B261E
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052BEFA0 pushfd ; ret	0_2_052BEFAE
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052BCEE4 push ebp; retf	0_2_052BCEE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00407913 push es; retf	5_2_00407919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040A9F2 push edi; retf	5_2_0040A9F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402181 pushad ; iretd	5_2_004021BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041EA53 pushad ; retf	5_2_0041EA6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A349 push edx; retf	5_2_0041A359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00407BD1 push 0000003Fh; ret	5_2_00407BD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040C40D push esp; ret	5_2_0040C412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A424 push esp; iretd	5_2_0041A425
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0042C543 push esi; retf	5_2_0042C586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004035A0 push eax; ret	5_2_004035A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00404E01 push esi; ret	5_2_00404E02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004016CF push es; retf	5_2_0040170B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004116EF push ebx; ret	5_2_004116FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041E6A8 push ebp; ret	5_2_0041E6B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401722 push es; retf	5_2_0040170B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040CF94 push ecx; retf	5_2_0040CF95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0127225F pushad ; ret	5_2_012727F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012727FA pushad ; ret	5_2_012727F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A09AD push ecx; mov dword ptr [esp], ecx	5_2_012A09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0127283D push eax; iretd	5_2_01272858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01271368 push eax; iretd	5_2_01271369

Source: PO STS_2184_06_2024.exe

Static PE information: section name: .text entropy: 7.937755379167963

Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, NHYrlRWa4QED1A3uRc.cs	High entropy of concatenated method names: 'Js7JXVRowI', 'AOGJjMNLLR', 'ut3JGUZRYC', 'PsdJ9XE0Ff', 'DOWJ4d82qW', 'fA8Jy4jKwL', 'vGAJ55eYGj', 'KkaNne70BD', 'QDcNU7g5g2', 'CslN6U3kbs'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, Bwb2kBvwJk4lRjQS4A.cs	High entropy of concatenated method names: 'bGxIScHxlv', 'ECwI7LiVMf', 'r45IYkXwLh', 'egOIFRD37j', 'qq9IfWsS7O', 'sVHIZtsH7P', 'u1CI8JjtwM', 'pRMIxOFKd8', 'h2aIKDiT95', 'AduIqpGLyG'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, GVClg8UldPcKLrtdsM.cs	High entropy of concatenated method names: 'IDAN9NMPdG', 'TK5N4OTviw', 'QaHNsaegBV', 'slCNywQPF0', 'euaN5WJ8Hm', 'Y1NN2TfG08', 'z2SNCjIJwe', 'sjgNeRMugh', 'GpoNVCoFJR', 'V6tN09sQdg'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, tFCbtNXMUNdn3TpUVV1.cs	High entropy of concatenated method names: 'hUFbDagLY6', 'wlibgOAR1J', 'hNObBJadkV', 'NfEbIuawv6bsg4btP3v', 'PltxUrak7oGd2YMgW2Z', 'zVGT3Faef400pqfS9y8'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, bfqGFh4XjUuREdrLfN.cs	High entropy of concatenated method names: 'Dispose', 'wQOX67vQ7R', 'ElZMF2UGPw', 'XtxXXKmtTO', 'TYVXWClg8l', 'QPcXzKLrtd', 'ProcessDialogKey', 'gMmM3ITGoU', 'S4ZMXDhZMZ', 'Nc2MMKHYrl'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, TITGoU614ZDhZMZKc2.cs	High entropy of concatenated method names: 'SkuNYgcKcd', 'bnXNFk62jv', 'WisNh78exJ', 'De7NfgS7iC', 'm5INds7GEu', 'qEpNZfN606', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	High entropy of concatenated method names: 'Ao3jrvHEx4', 'bhdj9J7PWw', 'nchj4Txfsx', 'oWNjsysXaL', 'L0ZjyVwNCj', 'qOBj51cxXn', 'xb2j2loijj', 'SWojC2FII6', 'dyEjeotMRx', 'exFjVPTZ3X'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	High entropy of concatenated method names: 'iWF4dMtUtj', 'eQZ4lIcFaP', 'Vhs417ZboQ', 'K9R4mo3LUY', 'ypR4cW4ZgC', 'f0c4EAYdco', 'iI54nHn9G3', 'EBW4Uwho8D', 'dKR46MHbgR', 'y1b4WvdeIN'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, FhqdRJYZ86nRBlcJwP.cs	High entropy of concatenated method names: 'dQQ5rVtpNC', 'xyO54qFPd3', 'tfs5yt92j8', 'rWo52bvTke', 'unI5Cnivbp', 'hyOycSEiCJ', 'px5yEm0Eo3', 'iAryncrArg', 'cQ2yUqEhLa', 'SDWy6VaeGC'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, npnWs27o7xJpTP31xy.cs	High entropy of concatenated method names: 'dvEsOlTcel', 'OdIsuohovJ', 'he5sSyrDoC', 'L6Ds7BMWEE', 'yHTsHdO3b8', 'u33sp00H1u', 'uHJsiH6Lfe', 'T7isNkoU9D', 'e2asJcHX41', 'agQsbTI9mo'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, wnh9CZQm2EteRVOnDj.cs	High entropy of concatenated method names: 'Fhu2Dcvhy7', 'V0Z2gYBpbb', 'AlD2BDZYNM', 'tN92OH3GZV', 'mnd2kUIAH6', 'Jy92uNIPND', 'LhV2ArJwFr', 'vVK2S0M5NL', 'fk02751kuH', 'udM2o5c22e'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, LerMGmMoMad9YBayEs.cs	High entropy of concatenated method names: 'vNgBZvsn2', 'XMFOG6qop', 'RIUu5ELuQ', 'JO8A6ZTQM', 'yk57kpNy5', 'V2jovtOcK', 'iMus9F2tpIryv9UonK', 'z0giEJZ0yuQjfdcerA', 'yX9NpwZwE', 'ObcbYuCnx'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, K2EBysX3tIMPkdTWCKD.cs	High entropy of concatenated method names: 'z8hJDK9Hrd', 'hkgJgwqTq9', 'ihLJBWw5Xr', 'nYWJOs7jrR', 'kWwJkYiC2D', 'lGFJuGbyi2', 'O5wJArkfQX', 'XNbJSLiwya', 'wwUJ7QVJZP', 'fAgJoVVE1I'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, dHpQGpsLESwpNDrI7m.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FCoM6giE3v', 'ug5MWdY1aw', 'sgbMzNvyKk', 'BHxj3CxTcq', 'S5qjXVK09R', 'm8UjMslJF0', 'kgQjjOgLqK', 'dxFrpgO5hsflr6U122l'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, uLkiIyEIc7a5QJYcSE.cs	High entropy of concatenated method names: 'kmdiUPqr6I', 'DB3iW4yegc', 'HSuN35sNp8', 'HN7NXfP7iW', 'PeriqGZZ8y', 'M1liLCb8Yx', 'uKEivbD43E', 'nZbidAH5fK', 'cxhilLW4ML', 'MZGi1bqhBT'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, oglEhUm3uvyKpd2Kr4.cs	High entropy of concatenated method names: 'HG5iVRL1Z3', 'N1yi0ywkOe', 'ToString', 'NmDi9PC7R4', 'f24i4UsGWd', 'reCispgPBY', 'aJviyXE7bq', 'lxEi5VoU9p', 'Lbai29Nuje', 'xa6iCKQWSk'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, dELb50dvlK7JNtBH8e.cs	High entropy of concatenated method names: 'BieHK1i89d', 'yPLHLybFpM', 'T7wHdLK6Nh', 'Ne5Hlcq6oQ', 'qiDHFrSKyh', 'pMOHhmuQ8q', 'rhhHfmSrhx', 'B12HZYnTRS', 'z6wHPlYvhq', 'ghTH8Q1gOZ'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, SWBDQtGxgSHnKETHR0.cs	High entropy of concatenated method names: 'ePVX2u7XGo', 'rWJXCCOu9A', 'jo7XVxJpTP', 'a1xX0yOMpy', 'GESXH42ohq', 'QRJXpZ86nR', 'IOTrMNfwK72pEtZP9P', 'BqxGWUiPWDhMGRPpB4', 'oHwXXThwYy', 'DXDXj4QRs8'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, vwJSCeXjqyws8fjiNGU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uWAbdQkxak', 'EefblocrC6', 'Fbnb1dbmW1', 'FmubmqMr1Z', 'ygdbcCeemg', 'QnrbES1Li0', 'Km0bnG9EKR'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, y5wtWv8XyG3cr3dEf3.cs	High entropy of concatenated method names: 'r6C29BIwPS', 'OvK2sNxr9U', 'Mge25QPHle', 'qm35WgD5fi', 'hai5zyYhLD', 'hbe23DkXIC', 'Ut12XJJyuG', 'JFW2MpY9qR', 'raT2jG4gmn', 'Iml2GDBcBE'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, AMpyycoU8gJMYYES42.cs	High entropy of concatenated method names: 'k84ykt88Hu', 'eGHyAyilZb', 'J7IshRyrkV', 'rYisfNfXZ1', 'shasZoVXXE', 'muQsPIxlCY', 'ITSs8N6aPp', 'GVSsxQ65ty', 'Rh5sQEEslO', 'rs0sKGdC96'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, NHYrlRWa4QED1A3uRc.cs	High entropy of concatenated method names: 'Js7JXVRowI', 'AOGJjMNLLR', 'ut3JGUZRYC', 'PsdJ9XE0Ff', 'DOWJ4d82qW', 'fA8Jy4jKwL', 'vGAJ55eYGj', 'KkaNne70BD', 'QDcNU7g5g2', 'CslN6U3kbs'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, Bwb2kBvwJk4lRjQS4A.cs	High entropy of concatenated method names: 'bGxIScHxlv', 'ECwI7LiVMf', 'r45IYkXwLh', 'egOIFRD37j', 'qq9IfWsS7O', 'sVHIZtsH7P', 'u1CI8JjtwM', 'pRMIxOFKd8', 'h2aIKDiT95', 'AduIqpGLyG'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, GVClg8UldPcKLrtdsM.cs	High entropy of concatenated method names: 'IDAN9NMPdG', 'TK5N4OTviw', 'QaHNsaegBV', 'slCNywQPF0', 'euaN5WJ8Hm', 'Y1NN2TfG08', 'z2SNCjIJwe', 'sjgNeRMugh', 'GpoNVCoFJR', 'V6tN09sQdg'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, tFCbtNXMUNdn3TpUVV1.cs	High entropy of concatenated method names: 'hUFbDagLY6', 'wlibgOAR1J', 'hNObBJadkV', 'NfEbIuawv6bsg4btP3v', 'PltxUrak7oGd2YMgW2Z', 'zVGT3Faef400pqfS9y8'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, bfqGFh4XjUuREdrLfN.cs	High entropy of concatenated method names: 'Dispose', 'wQOX67vQ7R', 'ElZMF2UGPw', 'XtxXXKmtTO', 'TYVXWClg8l', 'QPcXzKLrtd', 'ProcessDialogKey', 'gMmM3ITGoU', 'S4ZMXDhZMZ', 'Nc2MMKHYrl'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, TITGoU614ZDhZMZKc2.cs	High entropy of concatenated method names: 'SkuNYgcKcd', 'bnXNFk62jv', 'WisNh78exJ', 'De7NfgS7iC', 'm5INds7GEu', 'qEpNZfN606', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	High entropy of concatenated method names: 'Ao3jrvHEx4', 'bhdj9J7PWw', 'nchj4Txfsx', 'oWNjsysXaL', 'L0ZjyVwNCj', 'qOBj51cxXn', 'xb2j2loijj', 'SWojC2FII6', 'dyEjeotMRx', 'exFjVPTZ3X'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	High entropy of concatenated method names: 'iWF4dMtUtj', 'eQZ4lIcFaP', 'Vhs417ZboQ', 'K9R4mo3LUY', 'ypR4cW4ZgC', 'f0c4EAYdco', 'iI54nHn9G3', 'EBW4Uwho8D', 'dKR46MHbgR', 'y1b4WvdeIN'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, FhqdRJYZ86nRBlcJwP.cs	High entropy of concatenated method names: 'dQQ5rVtpNC', 'xyO54qFPd3', 'tfs5yt92j8', 'rWo52bvTke', 'unI5Cnivbp', 'hyOycSEiCJ', 'px5yEm0Eo3', 'iAryncrArg', 'cQ2yUqEhLa', 'SDWy6VaeGC'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, npnWs27o7xJpTP31xy.cs	High entropy of concatenated method names: 'dvEsOlTcel', 'OdIsuohovJ', 'he5sSyrDoC', 'L6Ds7BMWEE', 'yHTsHdO3b8', 'u33sp00H1u', 'uHJsiH6Lfe', 'T7isNkoU9D', 'e2asJcHX41', 'agQsbTI9mo'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, wnh9CZQm2EteRVOnDj.cs	High entropy of concatenated method names: 'Fhu2Dcvhy7', 'V0Z2gYBpbb', 'AlD2BDZYNM', 'tN92OH3GZV', 'mnd2kUIAH6', 'Jy92uNIPND', 'LhV2ArJwFr', 'vVK2S0M5NL', 'fk02751kuH', 'udM2o5c22e'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, LerMGmMoMad9YBayEs.cs	High entropy of concatenated method names: 'vNgBZvsn2', 'XMFOG6qop', 'RIUu5ELuQ', 'JO8A6ZTQM', 'yk57kpNy5', 'V2jovtOcK', 'iMus9F2tpIryv9UonK', 'z0giEJZ0yuQjfdcerA', 'yX9NpwZwE', 'ObcbYuCnx'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, K2EBysX3tIMPkdTWCKD.cs	High entropy of concatenated method names: 'z8hJDK9Hrd', 'hkgJgwqTq9', 'ihLJBWw5Xr', 'nYWJOs7jrR', 'kWwJkYiC2D', 'lGFJuGbyi2', 'O5wJArkfQX', 'XNbJSLiwya', 'wwUJ7QVJZP', 'fAgJoVVE1I'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, dHpQGpsLESwpNDrI7m.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FCoM6giE3v', 'ug5MWdY1aw', 'sgbMzNvyKk', 'BHxj3CxTcq', 'S5qjXVK09R', 'm8UjMslJF0', 'kgQjjOgLqK', 'dxFrpgO5hsflr6U122l'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, uLkiIyEIc7a5QJYcSE.cs	High entropy of concatenated method names: 'kmdiUPqr6I', 'DB3iW4yegc', 'HSuN35sNp8', 'HN7NXfP7iW', 'PeriqGZZ8y', 'M1liLCb8Yx', 'uKEivbD43E', 'nZbidAH5fK', 'cxhilLW4ML', 'MZGi1bqhBT'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, oglEhUm3uvyKpd2Kr4.cs	High entropy of concatenated method names: 'HG5iVRL1Z3', 'N1yi0ywkOe', 'ToString', 'NmDi9PC7R4', 'f24i4UsGWd', 'reCispgPBY', 'aJviyXE7bq', 'lxEi5VoU9p', 'Lbai29Nuje', 'xa6iCKQWSk'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, dELb50dvlK7JNtBH8e.cs	High entropy of concatenated method names: 'BieHK1i89d', 'yPLHLybFpM', 'T7wHdLK6Nh', 'Ne5Hlcq6oQ', 'qiDHFrSKyh', 'pMOHhmuQ8q', 'rhhHfmSrhx', 'B12HZYnTRS', 'z6wHPlYvhq', 'ghTH8Q1gOZ'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, SWBDQtGxgSHnKETHR0.cs	High entropy of concatenated method names: 'ePVX2u7XGo', 'rWJXCCOu9A', 'jo7XVxJpTP', 'a1xX0yOMpy', 'GESXH42ohq', 'QRJXpZ86nR', 'IOTrMNfwK72pEtZP9P', 'BqxGWUiPWDhMGRPpB4', 'oHwXXThwYy', 'DXDXj4QRs8'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, vwJSCeXjqyws8fjiNGU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uWAbdQkxak', 'EefblocrC6', 'Fbnb1dbmW1', 'FmubmqMr1Z', 'ygdbcCeemg', 'QnrbES1Li0', 'Km0bnG9EKR'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, y5wtWv8XyG3cr3dEf3.cs	High entropy of concatenated method names: 'r6C29BIwPS', 'OvK2sNxr9U', 'Mge25QPHle', 'qm35WgD5fi', 'hai5zyYhLD', 'hbe23DkXIC', 'Ut12XJJyuG', 'JFW2MpY9qR', 'raT2jG4gmn', 'Iml2GDBcBE'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, AMpyycoU8gJMYYES42.cs	High entropy of concatenated method names: 'k84ykt88Hu', 'eGHyAyilZb', 'J7IshRyrkV', 'rYisfNfXZ1', 'shasZoVXXE', 'muQsPIxlCY', 'ITSs8N6aPp', 'GVSsxQ65ty', 'Rh5sQEEslO', 'rs0sKGdC96'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, NHYrlRWa4QED1A3uRc.cs	High entropy of concatenated method names: 'Js7JXVRowI', 'AOGJjMNLLR', 'ut3JGUZRYC', 'PsdJ9XE0Ff', 'DOWJ4d82qW', 'fA8Jy4jKwL', 'vGAJ55eYGj', 'KkaNne70BD', 'QDcNU7g5g2', 'CslN6U3kbs'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, Bwb2kBvwJk4lRjQS4A.cs	High entropy of concatenated method names: 'bGxIScHxlv', 'ECwI7LiVMf', 'r45IYkXwLh', 'egOIFRD37j', 'qq9IfWsS7O', 'sVHIZtsH7P', 'u1CI8JjtwM', 'pRMIxOFKd8', 'h2aIKDiT95', 'AduIqpGLyG'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, GVClg8UldPcKLrtdsM.cs	High entropy of concatenated method names: 'IDAN9NMPdG', 'TK5N4OTviw', 'QaHNsaegBV', 'slCNywQPF0', 'euaN5WJ8Hm', 'Y1NN2TfG08', 'z2SNCjIJwe', 'sjgNeRMugh', 'GpoNVCoFJR', 'V6tN09sQdg'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, tFCbtNXMUNdn3TpUVV1.cs	High entropy of concatenated method names: 'hUFbDagLY6', 'wlibgOAR1J', 'hNObBJadkV', 'NfEbIuawv6bsg4btP3v', 'PltxUrak7oGd2YMgW2Z', 'zVGT3Faef400pqfS9y8'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, bfqGFh4XjUuREdrLfN.cs	High entropy of concatenated method names: 'Dispose', 'wQOX67vQ7R', 'ElZMF2UGPw', 'XtxXXKmtTO', 'TYVXWClg8l', 'QPcXzKLrtd', 'ProcessDialogKey', 'gMmM3ITGoU', 'S4ZMXDhZMZ', 'Nc2MMKHYrl'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, TITGoU614ZDhZMZKc2.cs	High entropy of concatenated method names: 'SkuNYgcKcd', 'bnXNFk62jv', 'WisNh78exJ', 'De7NfgS7iC', 'm5INds7GEu', 'qEpNZfN606', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	High entropy of concatenated method names: 'Ao3jrvHEx4', 'bhdj9J7PWw', 'nchj4Txfsx', 'oWNjsysXaL', 'L0ZjyVwNCj', 'qOBj51cxXn', 'xb2j2loijj', 'SWojC2FII6', 'dyEjeotMRx', 'exFjVPTZ3X'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	High entropy of concatenated method names: 'iWF4dMtUtj', 'eQZ4lIcFaP', 'Vhs417ZboQ', 'K9R4mo3LUY', 'ypR4cW4ZgC', 'f0c4EAYdco', 'iI54nHn9G3', 'EBW4Uwho8D', 'dKR46MHbgR', 'y1b4WvdeIN'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, FhqdRJYZ86nRBlcJwP.cs	High entropy of concatenated method names: 'dQQ5rVtpNC', 'xyO54qFPd3', 'tfs5yt92j8', 'rWo52bvTke', 'unI5Cnivbp', 'hyOycSEiCJ', 'px5yEm0Eo3', 'iAryncrArg', 'cQ2yUqEhLa', 'SDWy6VaeGC'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, npnWs27o7xJpTP31xy.cs	High entropy of concatenated method names: 'dvEsOlTcel', 'OdIsuohovJ', 'he5sSyrDoC', 'L6Ds7BMWEE', 'yHTsHdO3b8', 'u33sp00H1u', 'uHJsiH6Lfe', 'T7isNkoU9D', 'e2asJcHX41', 'agQsbTI9mo'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, wnh9CZQm2EteRVOnDj.cs	High entropy of concatenated method names: 'Fhu2Dcvhy7', 'V0Z2gYBpbb', 'AlD2BDZYNM', 'tN92OH3GZV', 'mnd2kUIAH6', 'Jy92uNIPND', 'LhV2ArJwFr', 'vVK2S0M5NL', 'fk02751kuH', 'udM2o5c22e'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, LerMGmMoMad9YBayEs.cs	High entropy of concatenated method names: 'vNgBZvsn2', 'XMFOG6qop', 'RIUu5ELuQ', 'JO8A6ZTQM', 'yk57kpNy5', 'V2jovtOcK', 'iMus9F2tpIryv9UonK', 'z0giEJZ0yuQjfdcerA', 'yX9NpwZwE', 'ObcbYuCnx'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, K2EBysX3tIMPkdTWCKD.cs	High entropy of concatenated method names: 'z8hJDK9Hrd', 'hkgJgwqTq9', 'ihLJBWw5Xr', 'nYWJOs7jrR', 'kWwJkYiC2D', 'lGFJuGbyi2', 'O5wJArkfQX', 'XNbJSLiwya', 'wwUJ7QVJZP', 'fAgJoVVE1I'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, dHpQGpsLESwpNDrI7m.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FCoM6giE3v', 'ug5MWdY1aw', 'sgbMzNvyKk', 'BHxj3CxTcq', 'S5qjXVK09R', 'm8UjMslJF0', 'kgQjjOgLqK', 'dxFrpgO5hsflr6U122l'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, uLkiIyEIc7a5QJYcSE.cs	High entropy of concatenated method names: 'kmdiUPqr6I', 'DB3iW4yegc', 'HSuN35sNp8', 'HN7NXfP7iW', 'PeriqGZZ8y', 'M1liLCb8Yx', 'uKEivbD43E', 'nZbidAH5fK', 'cxhilLW4ML', 'MZGi1bqhBT'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, oglEhUm3uvyKpd2Kr4.cs	High entropy of concatenated method names: 'HG5iVRL1Z3', 'N1yi0ywkOe', 'ToString', 'NmDi9PC7R4', 'f24i4UsGWd', 'reCispgPBY', 'aJviyXE7bq', 'lxEi5VoU9p', 'Lbai29Nuje', 'xa6iCKQWSk'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, dELb50dvlK7JNtBH8e.cs	High entropy of concatenated method names: 'BieHK1i89d', 'yPLHLybFpM', 'T7wHdLK6Nh', 'Ne5Hlcq6oQ', 'qiDHFrSKyh', 'pMOHhmuQ8q', 'rhhHfmSrhx', 'B12HZYnTRS', 'z6wHPlYvhq', 'ghTH8Q1gOZ'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, SWBDQtGxgSHnKETHR0.cs	High entropy of concatenated method names: 'ePVX2u7XGo', 'rWJXCCOu9A', 'jo7XVxJpTP', 'a1xX0yOMpy', 'GESXH42ohq', 'QRJXpZ86nR', 'IOTrMNfwK72pEtZP9P', 'BqxGWUiPWDhMGRPpB4', 'oHwXXThwYy', 'DXDXj4QRs8'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, vwJSCeXjqyws8fjiNGU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uWAbdQkxak', 'EefblocrC6', 'Fbnb1dbmW1', 'FmubmqMr1Z', 'ygdbcCeemg', 'QnrbES1Li0', 'Km0bnG9EKR'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, y5wtWv8XyG3cr3dEf3.cs	High entropy of concatenated method names: 'r6C29BIwPS', 'OvK2sNxr9U', 'Mge25QPHle', 'qm35WgD5fi', 'hai5zyYhLD', 'hbe23DkXIC', 'Ut12XJJyuG', 'JFW2MpY9qR', 'raT2jG4gmn', 'Iml2GDBcBE'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, AMpyycoU8gJMYYES42.cs	High entropy of concatenated method names: 'k84ykt88Hu', 'eGHyAyilZb', 'J7IshRyrkV', 'rYisfNfXZ1', 'shasZoVXXE', 'muQsPIxlCY', 'ITSs8N6aPp', 'GVSsxQ65ty', 'Rh5sQEEslO', 'rs0sKGdC96'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO STS_2184_06_2024.exe PID: 3136, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 4C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 6310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 6440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 7440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: A1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: B1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: B650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: C650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: D650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: E650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: F650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 6430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: A1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: B650000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_012E096E rdtsc

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 3008

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API coverage: 0.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe TID: 3212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_012E096E rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00417713 LdrLoadDll,

5_2_00417713

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D0124 mov eax, dword ptr fs:[00000030h]	5_2_012D0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01360115 mov eax, dword ptr fs:[00000030h]	5_2_01360115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118 mov ecx, dword ptr fs:[00000030h]	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118 mov eax, dword ptr fs:[00000030h]	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118 mov eax, dword ptr fs:[00000030h]	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118 mov eax, dword ptr fs:[00000030h]	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov ecx, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov ecx, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov ecx, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov ecx, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01338158 mov eax, dword ptr fs:[00000030h]	5_2_01338158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov eax, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov eax, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov ecx, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov eax, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov eax, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6154 mov eax, dword ptr fs:[00000030h]	5_2_012A6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6154 mov eax, dword ptr fs:[00000030h]	5_2_012A6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C156 mov eax, dword ptr fs:[00000030h]	5_2_0129C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E0185 mov eax, dword ptr fs:[00000030h]	5_2_012E0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132019F mov eax, dword ptr fs:[00000030h]	5_2_0132019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132019F mov eax, dword ptr fs:[00000030h]	5_2_0132019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132019F mov eax, dword ptr fs:[00000030h]	5_2_0132019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132019F mov eax, dword ptr fs:[00000030h]	5_2_0132019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01344180 mov eax, dword ptr fs:[00000030h]	5_2_01344180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01344180 mov eax, dword ptr fs:[00000030h]	5_2_01344180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135C188 mov eax, dword ptr fs:[00000030h]	5_2_0135C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135C188 mov eax, dword ptr fs:[00000030h]	5_2_0135C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A197 mov eax, dword ptr fs:[00000030h]	5_2_0129A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A197 mov eax, dword ptr fs:[00000030h]	5_2_0129A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A197 mov eax, dword ptr fs:[00000030h]	5_2_0129A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013761E5 mov eax, dword ptr fs:[00000030h]	5_2_013761E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D01F8 mov eax, dword ptr fs:[00000030h]	5_2_012D01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013661C3 mov eax, dword ptr fs:[00000030h]	5_2_013661C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013661C3 mov eax, dword ptr fs:[00000030h]	5_2_013661C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336030 mov eax, dword ptr fs:[00000030h]	5_2_01336030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A020 mov eax, dword ptr fs:[00000030h]	5_2_0129A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C020 mov eax, dword ptr fs:[00000030h]	5_2_0129C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01324000 mov ecx, dword ptr fs:[00000030h]	5_2_01324000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE016 mov eax, dword ptr fs:[00000030h]	5_2_012BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE016 mov eax, dword ptr fs:[00000030h]	5_2_012BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE016 mov eax, dword ptr fs:[00000030h]	5_2_012BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE016 mov eax, dword ptr fs:[00000030h]	5_2_012BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CC073 mov eax, dword ptr fs:[00000030h]	5_2_012CC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326050 mov eax, dword ptr fs:[00000030h]	5_2_01326050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A2050 mov eax, dword ptr fs:[00000030h]	5_2_012A2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013660B8 mov eax, dword ptr fs:[00000030h]	5_2_013660B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013660B8 mov ecx, dword ptr fs:[00000030h]	5_2_013660B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013380A8 mov eax, dword ptr fs:[00000030h]	5_2_013380A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A208A mov eax, dword ptr fs:[00000030h]	5_2_012A208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A80E9 mov eax, dword ptr fs:[00000030h]	5_2_012A80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_0129A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013260E0 mov eax, dword ptr fs:[00000030h]	5_2_013260E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C0F0 mov eax, dword ptr fs:[00000030h]	5_2_0129C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E20F0 mov ecx, dword ptr fs:[00000030h]	5_2_012E20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013220DE mov eax, dword ptr fs:[00000030h]	5_2_013220DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA30B mov eax, dword ptr fs:[00000030h]	5_2_012DA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA30B mov eax, dword ptr fs:[00000030h]	5_2_012DA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA30B mov eax, dword ptr fs:[00000030h]	5_2_012DA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C310 mov ecx, dword ptr fs:[00000030h]	5_2_0129C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C0310 mov ecx, dword ptr fs:[00000030h]	5_2_012C0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134437C mov eax, dword ptr fs:[00000030h]	5_2_0134437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136A352 mov eax, dword ptr fs:[00000030h]	5_2_0136A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01348350 mov ecx, dword ptr fs:[00000030h]	5_2_01348350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov ecx, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E388 mov eax, dword ptr fs:[00000030h]	5_2_0129E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E388 mov eax, dword ptr fs:[00000030h]	5_2_0129E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E388 mov eax, dword ptr fs:[00000030h]	5_2_0129E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C438F mov eax, dword ptr fs:[00000030h]	5_2_012C438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C438F mov eax, dword ptr fs:[00000030h]	5_2_012C438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298397 mov eax, dword ptr fs:[00000030h]	5_2_01298397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298397 mov eax, dword ptr fs:[00000030h]	5_2_01298397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298397 mov eax, dword ptr fs:[00000030h]	5_2_01298397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D63FF mov eax, dword ptr fs:[00000030h]	5_2_012D63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE3F0 mov eax, dword ptr fs:[00000030h]	5_2_012BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE3F0 mov eax, dword ptr fs:[00000030h]	5_2_012BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE3F0 mov eax, dword ptr fs:[00000030h]	5_2_012BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013443D4 mov eax, dword ptr fs:[00000030h]	5_2_013443D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013443D4 mov eax, dword ptr fs:[00000030h]	5_2_013443D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A83C0 mov eax, dword ptr fs:[00000030h]	5_2_012A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A83C0 mov eax, dword ptr fs:[00000030h]	5_2_012A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A83C0 mov eax, dword ptr fs:[00000030h]	5_2_012A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A83C0 mov eax, dword ptr fs:[00000030h]	5_2_012A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E3DB mov eax, dword ptr fs:[00000030h]	5_2_0134E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E3DB mov eax, dword ptr fs:[00000030h]	5_2_0134E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E3DB mov ecx, dword ptr fs:[00000030h]	5_2_0134E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E3DB mov eax, dword ptr fs:[00000030h]	5_2_0134E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013263C0 mov eax, dword ptr fs:[00000030h]	5_2_013263C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135C3CD mov eax, dword ptr fs:[00000030h]	5_2_0135C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129823B mov eax, dword ptr fs:[00000030h]	5_2_0129823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129826B mov eax, dword ptr fs:[00000030h]	5_2_0129826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4260 mov eax, dword ptr fs:[00000030h]	5_2_012A4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4260 mov eax, dword ptr fs:[00000030h]	5_2_012A4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4260 mov eax, dword ptr fs:[00000030h]	5_2_012A4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135A250 mov eax, dword ptr fs:[00000030h]	5_2_0135A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135A250 mov eax, dword ptr fs:[00000030h]	5_2_0135A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01328243 mov eax, dword ptr fs:[00000030h]	5_2_01328243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01328243 mov ecx, dword ptr fs:[00000030h]	5_2_01328243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6259 mov eax, dword ptr fs:[00000030h]	5_2_012A6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A250 mov eax, dword ptr fs:[00000030h]	5_2_0129A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov ecx, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE284 mov eax, dword ptr fs:[00000030h]	5_2_012DE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE284 mov eax, dword ptr fs:[00000030h]	5_2_012DE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01320283 mov eax, dword ptr fs:[00000030h]	5_2_01320283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01320283 mov eax, dword ptr fs:[00000030h]	5_2_01320283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01320283 mov eax, dword ptr fs:[00000030h]	5_2_01320283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B02E1 mov eax, dword ptr fs:[00000030h]	5_2_012B02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B02E1 mov eax, dword ptr fs:[00000030h]	5_2_012B02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B02E1 mov eax, dword ptr fs:[00000030h]	5_2_012B02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336500 mov eax, dword ptr fs:[00000030h]	5_2_01336500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D656A mov eax, dword ptr fs:[00000030h]	5_2_012D656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D656A mov eax, dword ptr fs:[00000030h]	5_2_012D656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D656A mov eax, dword ptr fs:[00000030h]	5_2_012D656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8550 mov eax, dword ptr fs:[00000030h]	5_2_012A8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8550 mov eax, dword ptr fs:[00000030h]	5_2_012A8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013205A7 mov eax, dword ptr fs:[00000030h]	5_2_013205A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013205A7 mov eax, dword ptr fs:[00000030h]	5_2_013205A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013205A7 mov eax, dword ptr fs:[00000030h]	5_2_013205A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C45B1 mov eax, dword ptr fs:[00000030h]	5_2_012C45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C45B1 mov eax, dword ptr fs:[00000030h]	5_2_012C45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4588 mov eax, dword ptr fs:[00000030h]	5_2_012D4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A2582 mov eax, dword ptr fs:[00000030h]	5_2_012A2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A2582 mov ecx, dword ptr fs:[00000030h]	5_2_012A2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE59C mov eax, dword ptr fs:[00000030h]	5_2_012DE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC5ED mov eax, dword ptr fs:[00000030h]	5_2_012DC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC5ED mov eax, dword ptr fs:[00000030h]	5_2_012DC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A25E0 mov eax, dword ptr fs:[00000030h]	5_2_012A25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE5CF mov eax, dword ptr fs:[00000030h]	5_2_012DE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE5CF mov eax, dword ptr fs:[00000030h]	5_2_012DE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A65D0 mov eax, dword ptr fs:[00000030h]	5_2_012A65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA5D0 mov eax, dword ptr fs:[00000030h]	5_2_012DA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA5D0 mov eax, dword ptr fs:[00000030h]	5_2_012DA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E420 mov eax, dword ptr fs:[00000030h]	5_2_0129E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E420 mov eax, dword ptr fs:[00000030h]	5_2_0129E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E420 mov eax, dword ptr fs:[00000030h]	5_2_0129E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C427 mov eax, dword ptr fs:[00000030h]	5_2_0129C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA430 mov eax, dword ptr fs:[00000030h]	5_2_012DA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8402 mov eax, dword ptr fs:[00000030h]	5_2_012D8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8402 mov eax, dword ptr fs:[00000030h]	5_2_012D8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8402 mov eax, dword ptr fs:[00000030h]	5_2_012D8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C460 mov ecx, dword ptr fs:[00000030h]	5_2_0132C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CA470 mov eax, dword ptr fs:[00000030h]	5_2_012CA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CA470 mov eax, dword ptr fs:[00000030h]	5_2_012CA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CA470 mov eax, dword ptr fs:[00000030h]	5_2_012CA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135A456 mov eax, dword ptr fs:[00000030h]	5_2_0135A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129645D mov eax, dword ptr fs:[00000030h]	5_2_0129645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C245A mov eax, dword ptr fs:[00000030h]	5_2_012C245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A64AB mov eax, dword ptr fs:[00000030h]	5_2_012A64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132A4B0 mov eax, dword ptr fs:[00000030h]	5_2_0132A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D44B0 mov ecx, dword ptr fs:[00000030h]	5_2_012D44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135A49A mov eax, dword ptr fs:[00000030h]	5_2_0135A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A04E5 mov ecx, dword ptr fs:[00000030h]	5_2_012A04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131C730 mov eax, dword ptr fs:[00000030h]	5_2_0131C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC720 mov eax, dword ptr fs:[00000030h]	5_2_012DC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC720 mov eax, dword ptr fs:[00000030h]	5_2_012DC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D273C mov eax, dword ptr fs:[00000030h]	5_2_012D273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D273C mov ecx, dword ptr fs:[00000030h]	5_2_012D273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D273C mov eax, dword ptr fs:[00000030h]	5_2_012D273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC700 mov eax, dword ptr fs:[00000030h]	5_2_012DC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0710 mov eax, dword ptr fs:[00000030h]	5_2_012A0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D0710 mov eax, dword ptr fs:[00000030h]	5_2_012D0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8770 mov eax, dword ptr fs:[00000030h]	5_2_012A8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D674D mov esi, dword ptr fs:[00000030h]	5_2_012D674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D674D mov eax, dword ptr fs:[00000030h]	5_2_012D674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D674D mov eax, dword ptr fs:[00000030h]	5_2_012D674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01324755 mov eax, dword ptr fs:[00000030h]	5_2_01324755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E75D mov eax, dword ptr fs:[00000030h]	5_2_0132E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0750 mov eax, dword ptr fs:[00000030h]	5_2_012A0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2750 mov eax, dword ptr fs:[00000030h]	5_2_012E2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2750 mov eax, dword ptr fs:[00000030h]	5_2_012E2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A07AF mov eax, dword ptr fs:[00000030h]	5_2_012A07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013547A0 mov eax, dword ptr fs:[00000030h]	5_2_013547A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134678E mov eax, dword ptr fs:[00000030h]	5_2_0134678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C27ED mov eax, dword ptr fs:[00000030h]	5_2_012C27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C27ED mov eax, dword ptr fs:[00000030h]	5_2_012C27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C27ED mov eax, dword ptr fs:[00000030h]	5_2_012C27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A47FB mov eax, dword ptr fs:[00000030h]	5_2_012A47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A47FB mov eax, dword ptr fs:[00000030h]	5_2_012A47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E7E1 mov eax, dword ptr fs:[00000030h]	5_2_0132E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AC7C0 mov eax, dword ptr fs:[00000030h]	5_2_012AC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013207C3 mov eax, dword ptr fs:[00000030h]	5_2_013207C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A262C mov eax, dword ptr fs:[00000030h]	5_2_012A262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE627 mov eax, dword ptr fs:[00000030h]	5_2_012BE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D6620 mov eax, dword ptr fs:[00000030h]	5_2_012D6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8620 mov eax, dword ptr fs:[00000030h]	5_2_012D8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2619 mov eax, dword ptr fs:[00000030h]	5_2_012E2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E609 mov eax, dword ptr fs:[00000030h]	5_2_0131E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA660 mov eax, dword ptr fs:[00000030h]	5_2_012DA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA660 mov eax, dword ptr fs:[00000030h]	5_2_012DA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136866E mov eax, dword ptr fs:[00000030h]	5_2_0136866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136866E mov eax, dword ptr fs:[00000030h]	5_2_0136866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D2674 mov eax, dword ptr fs:[00000030h]	5_2_012D2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BC640 mov eax, dword ptr fs:[00000030h]	5_2_012BC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC6A6 mov eax, dword ptr fs:[00000030h]	5_2_012DC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D66B0 mov eax, dword ptr fs:[00000030h]	5_2_012D66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4690 mov eax, dword ptr fs:[00000030h]	5_2_012A4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4690 mov eax, dword ptr fs:[00000030h]	5_2_012A4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0131E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0131E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0131E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0131E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013206F1 mov eax, dword ptr fs:[00000030h]	5_2_013206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013206F1 mov eax, dword ptr fs:[00000030h]	5_2_013206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA6C7 mov ebx, dword ptr fs:[00000030h]	5_2_012DA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA6C7 mov eax, dword ptr fs:[00000030h]	5_2_012DA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132892A mov eax, dword ptr fs:[00000030h]	5_2_0132892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0133892B mov eax, dword ptr fs:[00000030h]	5_2_0133892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C912 mov eax, dword ptr fs:[00000030h]	5_2_0132C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298918 mov eax, dword ptr fs:[00000030h]	5_2_01298918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298918 mov eax, dword ptr fs:[00000030h]	5_2_01298918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E908 mov eax, dword ptr fs:[00000030h]	5_2_0131E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E908 mov eax, dword ptr fs:[00000030h]	5_2_0131E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E096E mov eax, dword ptr fs:[00000030h]	5_2_012E096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E096E mov edx, dword ptr fs:[00000030h]	5_2_012E096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E096E mov eax, dword ptr fs:[00000030h]	5_2_012E096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01344978 mov eax, dword ptr fs:[00000030h]	5_2_01344978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01344978 mov eax, dword ptr fs:[00000030h]	5_2_01344978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C6962 mov eax, dword ptr fs:[00000030h]	5_2_012C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C6962 mov eax, dword ptr fs:[00000030h]	5_2_012C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C6962 mov eax, dword ptr fs:[00000030h]	5_2_012C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C97C mov eax, dword ptr fs:[00000030h]	5_2_0132C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01320946 mov eax, dword ptr fs:[00000030h]	5_2_01320946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013289B3 mov esi, dword ptr fs:[00000030h]	5_2_013289B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013289B3 mov eax, dword ptr fs:[00000030h]	5_2_013289B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013289B3 mov eax, dword ptr fs:[00000030h]	5_2_013289B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A09AD mov eax, dword ptr fs:[00000030h]	5_2_012A09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A09AD mov eax, dword ptr fs:[00000030h]	5_2_012A09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E9E0 mov eax, dword ptr fs:[00000030h]	5_2_0132E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D29F9 mov eax, dword ptr fs:[00000030h]	5_2_012D29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D29F9 mov eax, dword ptr fs:[00000030h]	5_2_012D29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136A9D3 mov eax, dword ptr fs:[00000030h]	5_2_0136A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013369C0 mov eax, dword ptr fs:[00000030h]	5_2_013369C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D49D0 mov eax, dword ptr fs:[00000030h]	5_2_012D49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134483A mov eax, dword ptr fs:[00000030h]	5_2_0134483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134483A mov eax, dword ptr fs:[00000030h]	5_2_0134483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov ecx, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA830 mov eax, dword ptr fs:[00000030h]	5_2_012DA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C810 mov eax, dword ptr fs:[00000030h]	5_2_0132C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E872 mov eax, dword ptr fs:[00000030h]	5_2_0132E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E872 mov eax, dword ptr fs:[00000030h]	5_2_0132E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336870 mov eax, dword ptr fs:[00000030h]	5_2_01336870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336870 mov eax, dword ptr fs:[00000030h]	5_2_01336870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B2840 mov ecx, dword ptr fs:[00000030h]	5_2_012B2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4859 mov eax, dword ptr fs:[00000030h]	5_2_012A4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4859 mov eax, dword ptr fs:[00000030h]	5_2_012A4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D0854 mov eax, dword ptr fs:[00000030h]	5_2_012D0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0887 mov eax, dword ptr fs:[00000030h]	5_2_012A0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C89D mov eax, dword ptr fs:[00000030h]	5_2_0132C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136A8E4 mov eax, dword ptr fs:[00000030h]	5_2_0136A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC8F9 mov eax, dword ptr fs:[00000030h]	5_2_012DC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC8F9 mov eax, dword ptr fs:[00000030h]	5_2_012DC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE8C0 mov eax, dword ptr fs:[00000030h]	5_2_012CE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CEB20 mov eax, dword ptr fs:[00000030h]	5_2_012CEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CEB20 mov eax, dword ptr fs:[00000030h]	5_2_012CEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01368B28 mov eax, dword ptr fs:[00000030h]	5_2_01368B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01368B28 mov eax, dword ptr fs:[00000030h]	5_2_01368B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129CB7E mov eax, dword ptr fs:[00000030h]	5_2_0129CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134EB50 mov eax, dword ptr fs:[00000030h]	5_2_0134EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336B40 mov eax, dword ptr fs:[00000030h]	5_2_01336B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336B40 mov eax, dword ptr fs:[00000030h]	5_2_01336B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136AB40 mov eax, dword ptr fs:[00000030h]	5_2_0136AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01348B42 mov eax, dword ptr fs:[00000030h]	5_2_01348B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354B4B mov eax, dword ptr fs:[00000030h]	5_2_01354B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354B4B mov eax, dword ptr fs:[00000030h]	5_2_01354B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354BB0 mov eax, dword ptr fs:[00000030h]	5_2_01354BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354BB0 mov eax, dword ptr fs:[00000030h]	5_2_01354BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0BBE mov eax, dword ptr fs:[00000030h]	5_2_012B0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0BBE mov eax, dword ptr fs:[00000030h]	5_2_012B0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132CBF0 mov eax, dword ptr fs:[00000030h]	5_2_0132CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CEBFC mov eax, dword ptr fs:[00000030h]	5_2_012CEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8BF0 mov eax, dword ptr fs:[00000030h]	5_2_012A8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8BF0 mov eax, dword ptr fs:[00000030h]	5_2_012A8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8BF0 mov eax, dword ptr fs:[00000030h]	5_2_012A8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134EBD0 mov eax, dword ptr fs:[00000030h]	5_2_0134EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C0BCB mov eax, dword ptr fs:[00000030h]	5_2_012C0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C0BCB mov eax, dword ptr fs:[00000030h]	5_2_012C0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C0BCB mov eax, dword ptr fs:[00000030h]	5_2_012C0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0BCD mov eax, dword ptr fs:[00000030h]	5_2_012A0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0BCD mov eax, dword ptr fs:[00000030h]	5_2_012A0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0BCD mov eax, dword ptr fs:[00000030h]	5_2_012A0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CEA2E mov eax, dword ptr fs:[00000030h]	5_2_012CEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA24 mov eax, dword ptr fs:[00000030h]	5_2_012DCA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA38 mov eax, dword ptr fs:[00000030h]	5_2_012DCA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C4A35 mov eax, dword ptr fs:[00000030h]	5_2_012C4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C4A35 mov eax, dword ptr fs:[00000030h]	5_2_012C4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132CA11 mov eax, dword ptr fs:[00000030h]	5_2_0132CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA6F mov eax, dword ptr fs:[00000030h]	5_2_012DCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA6F mov eax, dword ptr fs:[00000030h]	5_2_012DCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA6F mov eax, dword ptr fs:[00000030h]	5_2_012DCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131CA72 mov eax, dword ptr fs:[00000030h]	5_2_0131CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131CA72 mov eax, dword ptr fs:[00000030h]	5_2_0131CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134EA60 mov eax, dword ptr fs:[00000030h]	5_2_0134EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0A5B mov eax, dword ptr fs:[00000030h]	5_2_012B0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0A5B mov eax, dword ptr fs:[00000030h]	5_2_012B0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8AA0 mov eax, dword ptr fs:[00000030h]	5_2_012A8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8AA0 mov eax, dword ptr fs:[00000030h]	5_2_012A8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F6AA4 mov eax, dword ptr fs:[00000030h]	5_2_012F6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374A80 mov eax, dword ptr fs:[00000030h]	5_2_01374A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8A90 mov edx, dword ptr fs:[00000030h]	5_2_012D8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DAAEE mov eax, dword ptr fs:[00000030h]	5_2_012DAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DAAEE mov eax, dword ptr fs:[00000030h]	5_2_012DAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F6ACC mov eax, dword ptr fs:[00000030h]	5_2_012F6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F6ACC mov eax, dword ptr fs:[00000030h]	5_2_012F6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F6ACC mov eax, dword ptr fs:[00000030h]	5_2_012F6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0AD0 mov eax, dword ptr fs:[00000030h]	5_2_012A0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4AD0 mov eax, dword ptr fs:[00000030h]	5_2_012D4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4AD0 mov eax, dword ptr fs:[00000030h]	5_2_012D4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01328D20 mov eax, dword ptr fs:[00000030h]	5_2_01328D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01358D10 mov eax, dword ptr fs:[00000030h]	5_2_01358D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01358D10 mov eax, dword ptr fs:[00000030h]	5_2_01358D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BAD00 mov eax, dword ptr fs:[00000030h]	5_2_012BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BAD00 mov eax, dword ptr fs:[00000030h]	5_2_012BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BAD00 mov eax, dword ptr fs:[00000030h]	5_2_012BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4D1D mov eax, dword ptr fs:[00000030h]	5_2_012D4D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01296D10 mov eax, dword ptr fs:[00000030h]	5_2_01296D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01296D10 mov eax, dword ptr fs:[00000030h]	5_2_01296D10

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Memory allocated: page read and write | page guard

Adds a directory exclusion to Windows Defender

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"			Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Users\user\Desktop\PO STS_2184_06_2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Multi AV Scanner detection for submitted file

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Source: PO STS_2184_06_2024.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO STS_2184_06_2024.exe

Joe Sandbox ML: detected

Compliance

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Unpacked PE file: 0.2.PO STS_2184_06_2024.exe.850000.0.unpack

Found inlined nop instructions (likely shell or obfuscated code)

Source: PO STS_2184_06_2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO STS_2184_06_2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.2630988544.0000000001270000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.2630988544.0000000001270000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04CE1AA0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04CE569D
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_04CE580C
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04CE580C
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_04CE5818
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04CE5818
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then xor edx, edx	0_2_04CE5A65
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then xor edx, edx	0_2_04CE5A70
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_04CE5B2D
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04CE5B2D
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_04CE5B38
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04CE5B38
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_052BB798
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_052B9CFC

Source: PO STS_2184_06_2024.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO STS_2184_06_2024.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO STS_2184_06_2024.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO STS_2184_06_2024.exe, 00000000.00000002.2186793071.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO STS_2184_06_2024.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.PO STS_2184_06_2024.exe.4cc0000.10.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 0.2.PO STS_2184_06_2024.exe.2c9ab9c.2.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0042B2F3 NtClose,	5_2_0042B2F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2B60 NtClose,LdrInitializeThunk,	5_2_012E2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_012E2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_012E2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E35C0 NtCreateMutant,LdrInitializeThunk,	5_2_012E35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E4340 NtSetContextThread,	5_2_012E4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E4650 NtSuspendThread,	5_2_012E4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2BA0 NtEnumerateValueKey,	5_2_012E2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2B80 NtQueryInformationFile,	5_2_012E2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2BE0 NtQueryValueKey,	5_2_012E2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2BF0 NtAllocateVirtualMemory,	5_2_012E2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2AB0 NtWaitForSingleObject,	5_2_012E2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2AF0 NtWriteFile,	5_2_012E2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2AD0 NtReadFile,	5_2_012E2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2D30 NtUnmapViewOfSection,	5_2_012E2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2D00 NtSetInformationFile,	5_2_012E2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2D10 NtMapViewOfSection,	5_2_012E2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2DB0 NtEnumerateKey,	5_2_012E2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2DD0 NtDelayExecution,	5_2_012E2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2C00 NtQueryInformationProcess,	5_2_012E2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2C60 NtCreateKey,	5_2_012E2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2CA0 NtQueryInformationToken,	5_2_012E2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2CF0 NtOpenProcess,	5_2_012E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2CC0 NtQueryVirtualMemory,	5_2_012E2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2F30 NtCreateSection,	5_2_012E2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2F60 NtCreateProcessEx,	5_2_012E2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2FA0 NtQuerySection,	5_2_012E2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2FB0 NtResumeThread,	5_2_012E2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2F90 NtProtectVirtualMemory,	5_2_012E2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2FE0 NtCreateFile,	5_2_012E2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2E30 NtWriteVirtualMemory,	5_2_012E2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2EA0 NtAdjustPrivilegesToken,	5_2_012E2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2E80 NtReadVirtualMemory,	5_2_012E2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2EE0 NtQueueApcThread,	5_2_012E2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E3010 NtOpenDirectoryObject,	5_2_012E3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E3090 NtSetValueKey,	5_2_012E3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E39B0 NtGetContextThread,	5_2_012E39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E3D10 NtOpenProcessToken,	5_2_012E3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E3D70 NtOpenThread,	5_2_012E3D70

Detected potential crypto function

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB1378	0_2_02AB1378
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB2671	0_2_02AB2671
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB3598	0_2_02AB3598
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB1BD0	0_2_02AB1BD0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB52F8	0_2_02AB52F8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB12F0	0_2_02AB12F0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB20D1	0_2_02AB20D1
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5720	0_2_02AB5720
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5730	0_2_02AB5730
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB34A1	0_2_02AB34A1
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB4460	0_2_02AB4460
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB4470	0_2_02AB4470
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5B01	0_2_02AB5B01
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5B10	0_2_02AB5B10
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB58E8	0_2_02AB58E8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB58D8	0_2_02AB58D8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB08D0	0_2_02AB08D0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB4FE8	0_2_02AB4FE8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB4FD9	0_2_02AB4FD9
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_02AB5D00	0_2_02AB5D00
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE2458	0_2_04CE2458
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE67C8	0_2_04CE67C8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE7158	0_2_04CE7158
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEACF0	0_2_04CEACF0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE244F	0_2_04CE244F
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE25EB	0_2_04CE25EB
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE67B8	0_2_04CE67B8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0040	0_2_04CE0040
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEE1C8	0_2_04CEE1C8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEE1D8	0_2_04CEE1D8
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE7148	0_2_04CE7148
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0120	0_2_04CE0120
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0130	0_2_04CE0130
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE02B1	0_2_04CE02B1
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE620A	0_2_04CE620A
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE6218	0_2_04CE6218
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEACE0	0_2_04CEACE0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0C6B	0_2_04CE0C6B
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0C78	0_2_04CE0C78
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE2D88	0_2_04CE2D88
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE2D98	0_2_04CE2D98
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEDDA0	0_2_04CEDDA0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CEF880	0_2_04CEF880
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE2980	0_2_04CE2980
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CED958	0_2_04CED958
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE4BC0	0_2_04CE4BC0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE4BB0	0_2_04CE4BB0
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052B8B4A	0_2_052B8B4A
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052B6B4C	0_2_052B6B4C
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052B8B58	0_2_052B8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00410013	5_2_00410013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004010EA	5_2_004010EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004010F0	5_2_004010F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040E093	5_2_0040E093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00404945	5_2_00404945
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004012A0	5_2_004012A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402B71	5_2_00402B71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00403310	5_2_00403310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402B80	5_2_00402B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004014D0	5_2_004014D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004024E0	5_2_004024E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040FDF3	5_2_0040FDF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041675E	5_2_0041675E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00416763	5_2_00416763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0042D733	5_2_0042D733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402F88	5_2_00402F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402F90	5_2_00402F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0100	5_2_012A0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01338158	5_2_01338158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013641A2	5_2_013641A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013701AA	5_2_013701AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013681CC	5_2_013681CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136A352	5_2_0136A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013703E6	5_2_013703E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE3F0	5_2_012BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013302C0	5_2_013302C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01370591	5_2_01370591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354420	5_2_01354420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01362446	5_2_01362446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135E4F6	5_2_0135E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4750	5_2_012D4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AC7C0	5_2_012AC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CC6E0	5_2_012CC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C6962	5_2_012C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0137A9A6	5_2_0137A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BA840	5_2_012BA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B2840	5_2_012B2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012968B8	5_2_012968B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE8F0	5_2_012DE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136AB40	5_2_0136AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01366BD7	5_2_01366BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BAD00	5_2_012BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134CD1F	5_2_0134CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C8DBF	5_2_012C8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AADE0	5_2_012AADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0C00	5_2_012B0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350CB5	5_2_01350CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0CF2	5_2_012A0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01352F30	5_2_01352F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F2F28	5_2_012F2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D0F30	5_2_012D0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01324F40	5_2_01324F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132EFA0	5_2_0132EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BCFE0	5_2_012BCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A2FC8	5_2_012A2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136EE26	5_2_0136EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0E59	5_2_012B0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136CE93	5_2_0136CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2E90	5_2_012C2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136EEDB	5_2_0136EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E516C	5_2_012E516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129F172	5_2_0129F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0137B16B	5_2_0137B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BB1B0	5_2_012BB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136F0E0	5_2_0136F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013670E9	5_2_013670E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B70C0	5_2_012B70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135F0CC	5_2_0135F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136132D	5_2_0136132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129D34C	5_2_0129D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F739A	5_2_012F739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B52A0	5_2_012B52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013512ED	5_2_013512ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CB2C0	5_2_012CB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01367571	5_2_01367571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134D5B0	5_2_0134D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136F43F	5_2_0136F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A1460	5_2_012A1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136F7B0	5_2_0136F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013616CC	5_2_013616CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01345910	5_2_01345910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B9950	5_2_012B9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CB950	5_2_012CB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131D800	5_2_0131D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B38E0	5_2_012B38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FB76	5_2_0136FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CFB80	5_2_012CFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01325BF0	5_2_01325BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012EDBF9	5_2_012EDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01323A6C	5_2_01323A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01367A46	5_2_01367A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FA49	5_2_0136FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F5AA0	5_2_012F5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01351AA3	5_2_01351AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134DAAC	5_2_0134DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135DAC6	5_2_0135DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01367D73	5_2_01367D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B3D40	5_2_012B3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01361D5A	5_2_01361D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CFDC0	5_2_012CFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01329C32	5_2_01329C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FCF2	5_2_0136FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FF09	5_2_0136FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136FFB1	5_2_0136FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B1F92	5_2_012B1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01273FD5	5_2_01273FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01273FD2	5_2_01273FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B9EB0	5_2_012B9EB0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0129B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012E5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012F7E54 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0132F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0131EA12 appears 86 times

PE / OLE file has an invalid certificate

Source: PO STS_2184_06_2024.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: PO STS_2184_06_2024.exe, 00000000.00000002.2185411365.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe, 00000000.00000002.2201729243.0000000005310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe, 00000000.00000002.2197738822.0000000004CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe, 00000000.00000000.2142957897.0000000000956000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAlqG.exe, vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe, 00000000.00000002.2186793071.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs PO STS_2184_06_2024.exe
Source: PO STS_2184_06_2024.exe	Binary or memory string: OriginalFilenameAlqG.exe, vs PO STS_2184_06_2024.exe

Source: PO STS_2184_06_2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: PO STS_2184_06_2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.PO STS_2184_06_2024.exe.2f426e0.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PO STS_2184_06_2024.exe.2f618ac.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PO STS_2184_06_2024.exe.4d00000.12.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/6@0/0

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO STS_2184_06_2024.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3516:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4rgiecup.p4s.ps1

Source: PO STS_2184_06_2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO STS_2184_06_2024.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: PO STS_2184_06_2024.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\PO STS_2184_06_2024.exe "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Detected unpacking (changes PE section rights)

Source: PO STS_2184_06_2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO STS_2184_06_2024.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PO STS_2184_06_2024.exe

Static file information: File size 1101320 > 1048576

Source: PO STS_2184_06_2024.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x103000

Source: PO STS_2184_06_2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.2630988544.0000000001270000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.2630988544.0000000001270000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Unpacked PE file: 0.2.PO STS_2184_06_2024.exe.850000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

.NET source code contains potential unpacker

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Unpacked PE file: 0.2.PO STS_2184_06_2024.exe.850000.0.unpack

Source: 0.2.PO STS_2184_06_2024.exe.4cc0000.10.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.4cc0000.10.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	.Net Code: YDdGB0QSNY System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	.Net Code: YDdGB0QSNY System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.2c9ab9c.2.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.2c9ab9c.2.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	.Net Code: YDdGB0QSNY System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: PO STS_2184_06_2024.exe

Static PE information: 0xF73DDA15 [Sun Jun 12 13:24:37 2101 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_008523C2 push ebx; retf	0_2_008523C3
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE04E8 push esp; ret	0_2_04CE04E9
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_04CE0E81 push 8BBCEB50h; ret	0_2_04CE0E87
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052B2610 pushfd ; ret	0_2_052B261E
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052BEFA0 pushfd ; ret	0_2_052BEFAE
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Code function: 0_2_052BCEE4 push ebp; retf	0_2_052BCEE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00407913 push es; retf	5_2_00407919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040A9F2 push edi; retf	5_2_0040A9F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402181 pushad ; iretd	5_2_004021BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041EA53 pushad ; retf	5_2_0041EA6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A349 push edx; retf	5_2_0041A359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00407BD1 push 0000003Fh; ret	5_2_00407BD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040C40D push esp; ret	5_2_0040C412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A424 push esp; iretd	5_2_0041A425
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0042C543 push esi; retf	5_2_0042C586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004035A0 push eax; ret	5_2_004035A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00404E01 push esi; ret	5_2_00404E02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004016CF push es; retf	5_2_0040170B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004116EF push ebx; ret	5_2_004116FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041E6A8 push ebp; ret	5_2_0041E6B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401722 push es; retf	5_2_0040170B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040CF94 push ecx; retf	5_2_0040CF95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0127225F pushad ; ret	5_2_012727F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012727FA pushad ; ret	5_2_012727F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A09AD push ecx; mov dword ptr [esp], ecx	5_2_012A09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0127283D push eax; iretd	5_2_01272858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01271368 push eax; iretd	5_2_01271369

Source: PO STS_2184_06_2024.exe

Static PE information: section name: .text entropy: 7.937755379167963

Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, NHYrlRWa4QED1A3uRc.cs	High entropy of concatenated method names: 'Js7JXVRowI', 'AOGJjMNLLR', 'ut3JGUZRYC', 'PsdJ9XE0Ff', 'DOWJ4d82qW', 'fA8Jy4jKwL', 'vGAJ55eYGj', 'KkaNne70BD', 'QDcNU7g5g2', 'CslN6U3kbs'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, Bwb2kBvwJk4lRjQS4A.cs	High entropy of concatenated method names: 'bGxIScHxlv', 'ECwI7LiVMf', 'r45IYkXwLh', 'egOIFRD37j', 'qq9IfWsS7O', 'sVHIZtsH7P', 'u1CI8JjtwM', 'pRMIxOFKd8', 'h2aIKDiT95', 'AduIqpGLyG'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, GVClg8UldPcKLrtdsM.cs	High entropy of concatenated method names: 'IDAN9NMPdG', 'TK5N4OTviw', 'QaHNsaegBV', 'slCNywQPF0', 'euaN5WJ8Hm', 'Y1NN2TfG08', 'z2SNCjIJwe', 'sjgNeRMugh', 'GpoNVCoFJR', 'V6tN09sQdg'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, tFCbtNXMUNdn3TpUVV1.cs	High entropy of concatenated method names: 'hUFbDagLY6', 'wlibgOAR1J', 'hNObBJadkV', 'NfEbIuawv6bsg4btP3v', 'PltxUrak7oGd2YMgW2Z', 'zVGT3Faef400pqfS9y8'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, bfqGFh4XjUuREdrLfN.cs	High entropy of concatenated method names: 'Dispose', 'wQOX67vQ7R', 'ElZMF2UGPw', 'XtxXXKmtTO', 'TYVXWClg8l', 'QPcXzKLrtd', 'ProcessDialogKey', 'gMmM3ITGoU', 'S4ZMXDhZMZ', 'Nc2MMKHYrl'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, TITGoU614ZDhZMZKc2.cs	High entropy of concatenated method names: 'SkuNYgcKcd', 'bnXNFk62jv', 'WisNh78exJ', 'De7NfgS7iC', 'm5INds7GEu', 'qEpNZfN606', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, fCVoOaCipWKvGri6GG.cs	High entropy of concatenated method names: 'Ao3jrvHEx4', 'bhdj9J7PWw', 'nchj4Txfsx', 'oWNjsysXaL', 'L0ZjyVwNCj', 'qOBj51cxXn', 'xb2j2loijj', 'SWojC2FII6', 'dyEjeotMRx', 'exFjVPTZ3X'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	High entropy of concatenated method names: 'iWF4dMtUtj', 'eQZ4lIcFaP', 'Vhs417ZboQ', 'K9R4mo3LUY', 'ypR4cW4ZgC', 'f0c4EAYdco', 'iI54nHn9G3', 'EBW4Uwho8D', 'dKR46MHbgR', 'y1b4WvdeIN'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, FhqdRJYZ86nRBlcJwP.cs	High entropy of concatenated method names: 'dQQ5rVtpNC', 'xyO54qFPd3', 'tfs5yt92j8', 'rWo52bvTke', 'unI5Cnivbp', 'hyOycSEiCJ', 'px5yEm0Eo3', 'iAryncrArg', 'cQ2yUqEhLa', 'SDWy6VaeGC'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, npnWs27o7xJpTP31xy.cs	High entropy of concatenated method names: 'dvEsOlTcel', 'OdIsuohovJ', 'he5sSyrDoC', 'L6Ds7BMWEE', 'yHTsHdO3b8', 'u33sp00H1u', 'uHJsiH6Lfe', 'T7isNkoU9D', 'e2asJcHX41', 'agQsbTI9mo'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, wnh9CZQm2EteRVOnDj.cs	High entropy of concatenated method names: 'Fhu2Dcvhy7', 'V0Z2gYBpbb', 'AlD2BDZYNM', 'tN92OH3GZV', 'mnd2kUIAH6', 'Jy92uNIPND', 'LhV2ArJwFr', 'vVK2S0M5NL', 'fk02751kuH', 'udM2o5c22e'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, LerMGmMoMad9YBayEs.cs	High entropy of concatenated method names: 'vNgBZvsn2', 'XMFOG6qop', 'RIUu5ELuQ', 'JO8A6ZTQM', 'yk57kpNy5', 'V2jovtOcK', 'iMus9F2tpIryv9UonK', 'z0giEJZ0yuQjfdcerA', 'yX9NpwZwE', 'ObcbYuCnx'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, K2EBysX3tIMPkdTWCKD.cs	High entropy of concatenated method names: 'z8hJDK9Hrd', 'hkgJgwqTq9', 'ihLJBWw5Xr', 'nYWJOs7jrR', 'kWwJkYiC2D', 'lGFJuGbyi2', 'O5wJArkfQX', 'XNbJSLiwya', 'wwUJ7QVJZP', 'fAgJoVVE1I'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, dHpQGpsLESwpNDrI7m.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FCoM6giE3v', 'ug5MWdY1aw', 'sgbMzNvyKk', 'BHxj3CxTcq', 'S5qjXVK09R', 'm8UjMslJF0', 'kgQjjOgLqK', 'dxFrpgO5hsflr6U122l'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, uLkiIyEIc7a5QJYcSE.cs	High entropy of concatenated method names: 'kmdiUPqr6I', 'DB3iW4yegc', 'HSuN35sNp8', 'HN7NXfP7iW', 'PeriqGZZ8y', 'M1liLCb8Yx', 'uKEivbD43E', 'nZbidAH5fK', 'cxhilLW4ML', 'MZGi1bqhBT'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, oglEhUm3uvyKpd2Kr4.cs	High entropy of concatenated method names: 'HG5iVRL1Z3', 'N1yi0ywkOe', 'ToString', 'NmDi9PC7R4', 'f24i4UsGWd', 'reCispgPBY', 'aJviyXE7bq', 'lxEi5VoU9p', 'Lbai29Nuje', 'xa6iCKQWSk'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, dELb50dvlK7JNtBH8e.cs	High entropy of concatenated method names: 'BieHK1i89d', 'yPLHLybFpM', 'T7wHdLK6Nh', 'Ne5Hlcq6oQ', 'qiDHFrSKyh', 'pMOHhmuQ8q', 'rhhHfmSrhx', 'B12HZYnTRS', 'z6wHPlYvhq', 'ghTH8Q1gOZ'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, SWBDQtGxgSHnKETHR0.cs	High entropy of concatenated method names: 'ePVX2u7XGo', 'rWJXCCOu9A', 'jo7XVxJpTP', 'a1xX0yOMpy', 'GESXH42ohq', 'QRJXpZ86nR', 'IOTrMNfwK72pEtZP9P', 'BqxGWUiPWDhMGRPpB4', 'oHwXXThwYy', 'DXDXj4QRs8'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, vwJSCeXjqyws8fjiNGU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uWAbdQkxak', 'EefblocrC6', 'Fbnb1dbmW1', 'FmubmqMr1Z', 'ygdbcCeemg', 'QnrbES1Li0', 'Km0bnG9EKR'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, y5wtWv8XyG3cr3dEf3.cs	High entropy of concatenated method names: 'r6C29BIwPS', 'OvK2sNxr9U', 'Mge25QPHle', 'qm35WgD5fi', 'hai5zyYhLD', 'hbe23DkXIC', 'Ut12XJJyuG', 'JFW2MpY9qR', 'raT2jG4gmn', 'Iml2GDBcBE'
Source: 0.2.PO STS_2184_06_2024.exe.40898e8.9.raw.unpack, AMpyycoU8gJMYYES42.cs	High entropy of concatenated method names: 'k84ykt88Hu', 'eGHyAyilZb', 'J7IshRyrkV', 'rYisfNfXZ1', 'shasZoVXXE', 'muQsPIxlCY', 'ITSs8N6aPp', 'GVSsxQ65ty', 'Rh5sQEEslO', 'rs0sKGdC96'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, NHYrlRWa4QED1A3uRc.cs	High entropy of concatenated method names: 'Js7JXVRowI', 'AOGJjMNLLR', 'ut3JGUZRYC', 'PsdJ9XE0Ff', 'DOWJ4d82qW', 'fA8Jy4jKwL', 'vGAJ55eYGj', 'KkaNne70BD', 'QDcNU7g5g2', 'CslN6U3kbs'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, Bwb2kBvwJk4lRjQS4A.cs	High entropy of concatenated method names: 'bGxIScHxlv', 'ECwI7LiVMf', 'r45IYkXwLh', 'egOIFRD37j', 'qq9IfWsS7O', 'sVHIZtsH7P', 'u1CI8JjtwM', 'pRMIxOFKd8', 'h2aIKDiT95', 'AduIqpGLyG'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, GVClg8UldPcKLrtdsM.cs	High entropy of concatenated method names: 'IDAN9NMPdG', 'TK5N4OTviw', 'QaHNsaegBV', 'slCNywQPF0', 'euaN5WJ8Hm', 'Y1NN2TfG08', 'z2SNCjIJwe', 'sjgNeRMugh', 'GpoNVCoFJR', 'V6tN09sQdg'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, tFCbtNXMUNdn3TpUVV1.cs	High entropy of concatenated method names: 'hUFbDagLY6', 'wlibgOAR1J', 'hNObBJadkV', 'NfEbIuawv6bsg4btP3v', 'PltxUrak7oGd2YMgW2Z', 'zVGT3Faef400pqfS9y8'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, bfqGFh4XjUuREdrLfN.cs	High entropy of concatenated method names: 'Dispose', 'wQOX67vQ7R', 'ElZMF2UGPw', 'XtxXXKmtTO', 'TYVXWClg8l', 'QPcXzKLrtd', 'ProcessDialogKey', 'gMmM3ITGoU', 'S4ZMXDhZMZ', 'Nc2MMKHYrl'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, TITGoU614ZDhZMZKc2.cs	High entropy of concatenated method names: 'SkuNYgcKcd', 'bnXNFk62jv', 'WisNh78exJ', 'De7NfgS7iC', 'm5INds7GEu', 'qEpNZfN606', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, fCVoOaCipWKvGri6GG.cs	High entropy of concatenated method names: 'Ao3jrvHEx4', 'bhdj9J7PWw', 'nchj4Txfsx', 'oWNjsysXaL', 'L0ZjyVwNCj', 'qOBj51cxXn', 'xb2j2loijj', 'SWojC2FII6', 'dyEjeotMRx', 'exFjVPTZ3X'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	High entropy of concatenated method names: 'iWF4dMtUtj', 'eQZ4lIcFaP', 'Vhs417ZboQ', 'K9R4mo3LUY', 'ypR4cW4ZgC', 'f0c4EAYdco', 'iI54nHn9G3', 'EBW4Uwho8D', 'dKR46MHbgR', 'y1b4WvdeIN'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, FhqdRJYZ86nRBlcJwP.cs	High entropy of concatenated method names: 'dQQ5rVtpNC', 'xyO54qFPd3', 'tfs5yt92j8', 'rWo52bvTke', 'unI5Cnivbp', 'hyOycSEiCJ', 'px5yEm0Eo3', 'iAryncrArg', 'cQ2yUqEhLa', 'SDWy6VaeGC'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, npnWs27o7xJpTP31xy.cs	High entropy of concatenated method names: 'dvEsOlTcel', 'OdIsuohovJ', 'he5sSyrDoC', 'L6Ds7BMWEE', 'yHTsHdO3b8', 'u33sp00H1u', 'uHJsiH6Lfe', 'T7isNkoU9D', 'e2asJcHX41', 'agQsbTI9mo'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, wnh9CZQm2EteRVOnDj.cs	High entropy of concatenated method names: 'Fhu2Dcvhy7', 'V0Z2gYBpbb', 'AlD2BDZYNM', 'tN92OH3GZV', 'mnd2kUIAH6', 'Jy92uNIPND', 'LhV2ArJwFr', 'vVK2S0M5NL', 'fk02751kuH', 'udM2o5c22e'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, LerMGmMoMad9YBayEs.cs	High entropy of concatenated method names: 'vNgBZvsn2', 'XMFOG6qop', 'RIUu5ELuQ', 'JO8A6ZTQM', 'yk57kpNy5', 'V2jovtOcK', 'iMus9F2tpIryv9UonK', 'z0giEJZ0yuQjfdcerA', 'yX9NpwZwE', 'ObcbYuCnx'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, K2EBysX3tIMPkdTWCKD.cs	High entropy of concatenated method names: 'z8hJDK9Hrd', 'hkgJgwqTq9', 'ihLJBWw5Xr', 'nYWJOs7jrR', 'kWwJkYiC2D', 'lGFJuGbyi2', 'O5wJArkfQX', 'XNbJSLiwya', 'wwUJ7QVJZP', 'fAgJoVVE1I'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, dHpQGpsLESwpNDrI7m.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FCoM6giE3v', 'ug5MWdY1aw', 'sgbMzNvyKk', 'BHxj3CxTcq', 'S5qjXVK09R', 'm8UjMslJF0', 'kgQjjOgLqK', 'dxFrpgO5hsflr6U122l'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, uLkiIyEIc7a5QJYcSE.cs	High entropy of concatenated method names: 'kmdiUPqr6I', 'DB3iW4yegc', 'HSuN35sNp8', 'HN7NXfP7iW', 'PeriqGZZ8y', 'M1liLCb8Yx', 'uKEivbD43E', 'nZbidAH5fK', 'cxhilLW4ML', 'MZGi1bqhBT'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, oglEhUm3uvyKpd2Kr4.cs	High entropy of concatenated method names: 'HG5iVRL1Z3', 'N1yi0ywkOe', 'ToString', 'NmDi9PC7R4', 'f24i4UsGWd', 'reCispgPBY', 'aJviyXE7bq', 'lxEi5VoU9p', 'Lbai29Nuje', 'xa6iCKQWSk'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, dELb50dvlK7JNtBH8e.cs	High entropy of concatenated method names: 'BieHK1i89d', 'yPLHLybFpM', 'T7wHdLK6Nh', 'Ne5Hlcq6oQ', 'qiDHFrSKyh', 'pMOHhmuQ8q', 'rhhHfmSrhx', 'B12HZYnTRS', 'z6wHPlYvhq', 'ghTH8Q1gOZ'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, SWBDQtGxgSHnKETHR0.cs	High entropy of concatenated method names: 'ePVX2u7XGo', 'rWJXCCOu9A', 'jo7XVxJpTP', 'a1xX0yOMpy', 'GESXH42ohq', 'QRJXpZ86nR', 'IOTrMNfwK72pEtZP9P', 'BqxGWUiPWDhMGRPpB4', 'oHwXXThwYy', 'DXDXj4QRs8'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, vwJSCeXjqyws8fjiNGU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uWAbdQkxak', 'EefblocrC6', 'Fbnb1dbmW1', 'FmubmqMr1Z', 'ygdbcCeemg', 'QnrbES1Li0', 'Km0bnG9EKR'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, y5wtWv8XyG3cr3dEf3.cs	High entropy of concatenated method names: 'r6C29BIwPS', 'OvK2sNxr9U', 'Mge25QPHle', 'qm35WgD5fi', 'hai5zyYhLD', 'hbe23DkXIC', 'Ut12XJJyuG', 'JFW2MpY9qR', 'raT2jG4gmn', 'Iml2GDBcBE'
Source: 0.2.PO STS_2184_06_2024.exe.5310000.13.raw.unpack, AMpyycoU8gJMYYES42.cs	High entropy of concatenated method names: 'k84ykt88Hu', 'eGHyAyilZb', 'J7IshRyrkV', 'rYisfNfXZ1', 'shasZoVXXE', 'muQsPIxlCY', 'ITSs8N6aPp', 'GVSsxQ65ty', 'Rh5sQEEslO', 'rs0sKGdC96'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, NHYrlRWa4QED1A3uRc.cs	High entropy of concatenated method names: 'Js7JXVRowI', 'AOGJjMNLLR', 'ut3JGUZRYC', 'PsdJ9XE0Ff', 'DOWJ4d82qW', 'fA8Jy4jKwL', 'vGAJ55eYGj', 'KkaNne70BD', 'QDcNU7g5g2', 'CslN6U3kbs'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, Bwb2kBvwJk4lRjQS4A.cs	High entropy of concatenated method names: 'bGxIScHxlv', 'ECwI7LiVMf', 'r45IYkXwLh', 'egOIFRD37j', 'qq9IfWsS7O', 'sVHIZtsH7P', 'u1CI8JjtwM', 'pRMIxOFKd8', 'h2aIKDiT95', 'AduIqpGLyG'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, GVClg8UldPcKLrtdsM.cs	High entropy of concatenated method names: 'IDAN9NMPdG', 'TK5N4OTviw', 'QaHNsaegBV', 'slCNywQPF0', 'euaN5WJ8Hm', 'Y1NN2TfG08', 'z2SNCjIJwe', 'sjgNeRMugh', 'GpoNVCoFJR', 'V6tN09sQdg'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, tFCbtNXMUNdn3TpUVV1.cs	High entropy of concatenated method names: 'hUFbDagLY6', 'wlibgOAR1J', 'hNObBJadkV', 'NfEbIuawv6bsg4btP3v', 'PltxUrak7oGd2YMgW2Z', 'zVGT3Faef400pqfS9y8'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, bfqGFh4XjUuREdrLfN.cs	High entropy of concatenated method names: 'Dispose', 'wQOX67vQ7R', 'ElZMF2UGPw', 'XtxXXKmtTO', 'TYVXWClg8l', 'QPcXzKLrtd', 'ProcessDialogKey', 'gMmM3ITGoU', 'S4ZMXDhZMZ', 'Nc2MMKHYrl'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, TITGoU614ZDhZMZKc2.cs	High entropy of concatenated method names: 'SkuNYgcKcd', 'bnXNFk62jv', 'WisNh78exJ', 'De7NfgS7iC', 'm5INds7GEu', 'qEpNZfN606', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, fCVoOaCipWKvGri6GG.cs	High entropy of concatenated method names: 'Ao3jrvHEx4', 'bhdj9J7PWw', 'nchj4Txfsx', 'oWNjsysXaL', 'L0ZjyVwNCj', 'qOBj51cxXn', 'xb2j2loijj', 'SWojC2FII6', 'dyEjeotMRx', 'exFjVPTZ3X'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, mu7XGoSJWJCOu9AiPw.cs	High entropy of concatenated method names: 'iWF4dMtUtj', 'eQZ4lIcFaP', 'Vhs417ZboQ', 'K9R4mo3LUY', 'ypR4cW4ZgC', 'f0c4EAYdco', 'iI54nHn9G3', 'EBW4Uwho8D', 'dKR46MHbgR', 'y1b4WvdeIN'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, FhqdRJYZ86nRBlcJwP.cs	High entropy of concatenated method names: 'dQQ5rVtpNC', 'xyO54qFPd3', 'tfs5yt92j8', 'rWo52bvTke', 'unI5Cnivbp', 'hyOycSEiCJ', 'px5yEm0Eo3', 'iAryncrArg', 'cQ2yUqEhLa', 'SDWy6VaeGC'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, npnWs27o7xJpTP31xy.cs	High entropy of concatenated method names: 'dvEsOlTcel', 'OdIsuohovJ', 'he5sSyrDoC', 'L6Ds7BMWEE', 'yHTsHdO3b8', 'u33sp00H1u', 'uHJsiH6Lfe', 'T7isNkoU9D', 'e2asJcHX41', 'agQsbTI9mo'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, wnh9CZQm2EteRVOnDj.cs	High entropy of concatenated method names: 'Fhu2Dcvhy7', 'V0Z2gYBpbb', 'AlD2BDZYNM', 'tN92OH3GZV', 'mnd2kUIAH6', 'Jy92uNIPND', 'LhV2ArJwFr', 'vVK2S0M5NL', 'fk02751kuH', 'udM2o5c22e'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, LerMGmMoMad9YBayEs.cs	High entropy of concatenated method names: 'vNgBZvsn2', 'XMFOG6qop', 'RIUu5ELuQ', 'JO8A6ZTQM', 'yk57kpNy5', 'V2jovtOcK', 'iMus9F2tpIryv9UonK', 'z0giEJZ0yuQjfdcerA', 'yX9NpwZwE', 'ObcbYuCnx'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, K2EBysX3tIMPkdTWCKD.cs	High entropy of concatenated method names: 'z8hJDK9Hrd', 'hkgJgwqTq9', 'ihLJBWw5Xr', 'nYWJOs7jrR', 'kWwJkYiC2D', 'lGFJuGbyi2', 'O5wJArkfQX', 'XNbJSLiwya', 'wwUJ7QVJZP', 'fAgJoVVE1I'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, dHpQGpsLESwpNDrI7m.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'FCoM6giE3v', 'ug5MWdY1aw', 'sgbMzNvyKk', 'BHxj3CxTcq', 'S5qjXVK09R', 'm8UjMslJF0', 'kgQjjOgLqK', 'dxFrpgO5hsflr6U122l'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, uLkiIyEIc7a5QJYcSE.cs	High entropy of concatenated method names: 'kmdiUPqr6I', 'DB3iW4yegc', 'HSuN35sNp8', 'HN7NXfP7iW', 'PeriqGZZ8y', 'M1liLCb8Yx', 'uKEivbD43E', 'nZbidAH5fK', 'cxhilLW4ML', 'MZGi1bqhBT'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, oglEhUm3uvyKpd2Kr4.cs	High entropy of concatenated method names: 'HG5iVRL1Z3', 'N1yi0ywkOe', 'ToString', 'NmDi9PC7R4', 'f24i4UsGWd', 'reCispgPBY', 'aJviyXE7bq', 'lxEi5VoU9p', 'Lbai29Nuje', 'xa6iCKQWSk'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, dELb50dvlK7JNtBH8e.cs	High entropy of concatenated method names: 'BieHK1i89d', 'yPLHLybFpM', 'T7wHdLK6Nh', 'Ne5Hlcq6oQ', 'qiDHFrSKyh', 'pMOHhmuQ8q', 'rhhHfmSrhx', 'B12HZYnTRS', 'z6wHPlYvhq', 'ghTH8Q1gOZ'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, SWBDQtGxgSHnKETHR0.cs	High entropy of concatenated method names: 'ePVX2u7XGo', 'rWJXCCOu9A', 'jo7XVxJpTP', 'a1xX0yOMpy', 'GESXH42ohq', 'QRJXpZ86nR', 'IOTrMNfwK72pEtZP9P', 'BqxGWUiPWDhMGRPpB4', 'oHwXXThwYy', 'DXDXj4QRs8'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, vwJSCeXjqyws8fjiNGU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uWAbdQkxak', 'EefblocrC6', 'Fbnb1dbmW1', 'FmubmqMr1Z', 'ygdbcCeemg', 'QnrbES1Li0', 'Km0bnG9EKR'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, y5wtWv8XyG3cr3dEf3.cs	High entropy of concatenated method names: 'r6C29BIwPS', 'OvK2sNxr9U', 'Mge25QPHle', 'qm35WgD5fi', 'hai5zyYhLD', 'hbe23DkXIC', 'Ut12XJJyuG', 'JFW2MpY9qR', 'raT2jG4gmn', 'Iml2GDBcBE'
Source: 0.2.PO STS_2184_06_2024.exe.3fc5cc8.8.raw.unpack, AMpyycoU8gJMYYES42.cs	High entropy of concatenated method names: 'k84ykt88Hu', 'eGHyAyilZb', 'J7IshRyrkV', 'rYisfNfXZ1', 'shasZoVXXE', 'muQsPIxlCY', 'ITSs8N6aPp', 'GVSsxQ65ty', 'Rh5sQEEslO', 'rs0sKGdC96'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO STS_2184_06_2024.exe PID: 3136, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 4C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 6310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 6440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 7440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: A1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: B1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: B650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: C650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: D650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: E650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: F650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: 6430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: A1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Memory allocated: B650000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_012E096E rdtsc

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 3008

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API coverage: 0.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe TID: 3212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_012E096E rdtsc

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_00417713 LdrLoadDll,

5_2_00417713

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D0124 mov eax, dword ptr fs:[00000030h]	5_2_012D0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01360115 mov eax, dword ptr fs:[00000030h]	5_2_01360115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118 mov ecx, dword ptr fs:[00000030h]	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118 mov eax, dword ptr fs:[00000030h]	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118 mov eax, dword ptr fs:[00000030h]	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134A118 mov eax, dword ptr fs:[00000030h]	5_2_0134A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov ecx, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov ecx, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov ecx, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov eax, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E10E mov ecx, dword ptr fs:[00000030h]	5_2_0134E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01338158 mov eax, dword ptr fs:[00000030h]	5_2_01338158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov eax, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov eax, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov ecx, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov eax, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01334144 mov eax, dword ptr fs:[00000030h]	5_2_01334144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6154 mov eax, dword ptr fs:[00000030h]	5_2_012A6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6154 mov eax, dword ptr fs:[00000030h]	5_2_012A6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C156 mov eax, dword ptr fs:[00000030h]	5_2_0129C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E0185 mov eax, dword ptr fs:[00000030h]	5_2_012E0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132019F mov eax, dword ptr fs:[00000030h]	5_2_0132019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132019F mov eax, dword ptr fs:[00000030h]	5_2_0132019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132019F mov eax, dword ptr fs:[00000030h]	5_2_0132019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132019F mov eax, dword ptr fs:[00000030h]	5_2_0132019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01344180 mov eax, dword ptr fs:[00000030h]	5_2_01344180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01344180 mov eax, dword ptr fs:[00000030h]	5_2_01344180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135C188 mov eax, dword ptr fs:[00000030h]	5_2_0135C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135C188 mov eax, dword ptr fs:[00000030h]	5_2_0135C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A197 mov eax, dword ptr fs:[00000030h]	5_2_0129A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A197 mov eax, dword ptr fs:[00000030h]	5_2_0129A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A197 mov eax, dword ptr fs:[00000030h]	5_2_0129A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013761E5 mov eax, dword ptr fs:[00000030h]	5_2_013761E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D01F8 mov eax, dword ptr fs:[00000030h]	5_2_012D01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0131E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013661C3 mov eax, dword ptr fs:[00000030h]	5_2_013661C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013661C3 mov eax, dword ptr fs:[00000030h]	5_2_013661C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336030 mov eax, dword ptr fs:[00000030h]	5_2_01336030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A020 mov eax, dword ptr fs:[00000030h]	5_2_0129A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C020 mov eax, dword ptr fs:[00000030h]	5_2_0129C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01324000 mov ecx, dword ptr fs:[00000030h]	5_2_01324000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01342000 mov eax, dword ptr fs:[00000030h]	5_2_01342000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE016 mov eax, dword ptr fs:[00000030h]	5_2_012BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE016 mov eax, dword ptr fs:[00000030h]	5_2_012BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE016 mov eax, dword ptr fs:[00000030h]	5_2_012BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE016 mov eax, dword ptr fs:[00000030h]	5_2_012BE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CC073 mov eax, dword ptr fs:[00000030h]	5_2_012CC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326050 mov eax, dword ptr fs:[00000030h]	5_2_01326050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A2050 mov eax, dword ptr fs:[00000030h]	5_2_012A2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013660B8 mov eax, dword ptr fs:[00000030h]	5_2_013660B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013660B8 mov ecx, dword ptr fs:[00000030h]	5_2_013660B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013380A8 mov eax, dword ptr fs:[00000030h]	5_2_013380A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A208A mov eax, dword ptr fs:[00000030h]	5_2_012A208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A80E9 mov eax, dword ptr fs:[00000030h]	5_2_012A80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A0E3 mov ecx, dword ptr fs:[00000030h]	5_2_0129A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013260E0 mov eax, dword ptr fs:[00000030h]	5_2_013260E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C0F0 mov eax, dword ptr fs:[00000030h]	5_2_0129C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E20F0 mov ecx, dword ptr fs:[00000030h]	5_2_012E20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013220DE mov eax, dword ptr fs:[00000030h]	5_2_013220DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA30B mov eax, dword ptr fs:[00000030h]	5_2_012DA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA30B mov eax, dword ptr fs:[00000030h]	5_2_012DA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA30B mov eax, dword ptr fs:[00000030h]	5_2_012DA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C310 mov ecx, dword ptr fs:[00000030h]	5_2_0129C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C0310 mov ecx, dword ptr fs:[00000030h]	5_2_012C0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134437C mov eax, dword ptr fs:[00000030h]	5_2_0134437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136A352 mov eax, dword ptr fs:[00000030h]	5_2_0136A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01348350 mov ecx, dword ptr fs:[00000030h]	5_2_01348350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov ecx, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132035C mov eax, dword ptr fs:[00000030h]	5_2_0132035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01322349 mov eax, dword ptr fs:[00000030h]	5_2_01322349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E388 mov eax, dword ptr fs:[00000030h]	5_2_0129E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E388 mov eax, dword ptr fs:[00000030h]	5_2_0129E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E388 mov eax, dword ptr fs:[00000030h]	5_2_0129E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C438F mov eax, dword ptr fs:[00000030h]	5_2_012C438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C438F mov eax, dword ptr fs:[00000030h]	5_2_012C438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298397 mov eax, dword ptr fs:[00000030h]	5_2_01298397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298397 mov eax, dword ptr fs:[00000030h]	5_2_01298397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298397 mov eax, dword ptr fs:[00000030h]	5_2_01298397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B03E9 mov eax, dword ptr fs:[00000030h]	5_2_012B03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D63FF mov eax, dword ptr fs:[00000030h]	5_2_012D63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE3F0 mov eax, dword ptr fs:[00000030h]	5_2_012BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE3F0 mov eax, dword ptr fs:[00000030h]	5_2_012BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE3F0 mov eax, dword ptr fs:[00000030h]	5_2_012BE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013443D4 mov eax, dword ptr fs:[00000030h]	5_2_013443D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013443D4 mov eax, dword ptr fs:[00000030h]	5_2_013443D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA3C0 mov eax, dword ptr fs:[00000030h]	5_2_012AA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A83C0 mov eax, dword ptr fs:[00000030h]	5_2_012A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A83C0 mov eax, dword ptr fs:[00000030h]	5_2_012A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A83C0 mov eax, dword ptr fs:[00000030h]	5_2_012A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A83C0 mov eax, dword ptr fs:[00000030h]	5_2_012A83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E3DB mov eax, dword ptr fs:[00000030h]	5_2_0134E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E3DB mov eax, dword ptr fs:[00000030h]	5_2_0134E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E3DB mov ecx, dword ptr fs:[00000030h]	5_2_0134E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134E3DB mov eax, dword ptr fs:[00000030h]	5_2_0134E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013263C0 mov eax, dword ptr fs:[00000030h]	5_2_013263C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135C3CD mov eax, dword ptr fs:[00000030h]	5_2_0135C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129823B mov eax, dword ptr fs:[00000030h]	5_2_0129823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01350274 mov eax, dword ptr fs:[00000030h]	5_2_01350274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129826B mov eax, dword ptr fs:[00000030h]	5_2_0129826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4260 mov eax, dword ptr fs:[00000030h]	5_2_012A4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4260 mov eax, dword ptr fs:[00000030h]	5_2_012A4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4260 mov eax, dword ptr fs:[00000030h]	5_2_012A4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135A250 mov eax, dword ptr fs:[00000030h]	5_2_0135A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135A250 mov eax, dword ptr fs:[00000030h]	5_2_0135A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01328243 mov eax, dword ptr fs:[00000030h]	5_2_01328243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01328243 mov ecx, dword ptr fs:[00000030h]	5_2_01328243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6259 mov eax, dword ptr fs:[00000030h]	5_2_012A6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129A250 mov eax, dword ptr fs:[00000030h]	5_2_0129A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov ecx, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013362A0 mov eax, dword ptr fs:[00000030h]	5_2_013362A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE284 mov eax, dword ptr fs:[00000030h]	5_2_012DE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE284 mov eax, dword ptr fs:[00000030h]	5_2_012DE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01320283 mov eax, dword ptr fs:[00000030h]	5_2_01320283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01320283 mov eax, dword ptr fs:[00000030h]	5_2_01320283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01320283 mov eax, dword ptr fs:[00000030h]	5_2_01320283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B02E1 mov eax, dword ptr fs:[00000030h]	5_2_012B02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B02E1 mov eax, dword ptr fs:[00000030h]	5_2_012B02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B02E1 mov eax, dword ptr fs:[00000030h]	5_2_012B02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA2C3 mov eax, dword ptr fs:[00000030h]	5_2_012AA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE53E mov eax, dword ptr fs:[00000030h]	5_2_012CE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0535 mov eax, dword ptr fs:[00000030h]	5_2_012B0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336500 mov eax, dword ptr fs:[00000030h]	5_2_01336500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374500 mov eax, dword ptr fs:[00000030h]	5_2_01374500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D656A mov eax, dword ptr fs:[00000030h]	5_2_012D656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D656A mov eax, dword ptr fs:[00000030h]	5_2_012D656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D656A mov eax, dword ptr fs:[00000030h]	5_2_012D656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8550 mov eax, dword ptr fs:[00000030h]	5_2_012A8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8550 mov eax, dword ptr fs:[00000030h]	5_2_012A8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013205A7 mov eax, dword ptr fs:[00000030h]	5_2_013205A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013205A7 mov eax, dword ptr fs:[00000030h]	5_2_013205A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013205A7 mov eax, dword ptr fs:[00000030h]	5_2_013205A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C45B1 mov eax, dword ptr fs:[00000030h]	5_2_012C45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C45B1 mov eax, dword ptr fs:[00000030h]	5_2_012C45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4588 mov eax, dword ptr fs:[00000030h]	5_2_012D4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A2582 mov eax, dword ptr fs:[00000030h]	5_2_012A2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A2582 mov ecx, dword ptr fs:[00000030h]	5_2_012A2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE59C mov eax, dword ptr fs:[00000030h]	5_2_012DE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC5ED mov eax, dword ptr fs:[00000030h]	5_2_012DC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC5ED mov eax, dword ptr fs:[00000030h]	5_2_012DC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A25E0 mov eax, dword ptr fs:[00000030h]	5_2_012A25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE5E7 mov eax, dword ptr fs:[00000030h]	5_2_012CE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE5CF mov eax, dword ptr fs:[00000030h]	5_2_012DE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE5CF mov eax, dword ptr fs:[00000030h]	5_2_012DE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A65D0 mov eax, dword ptr fs:[00000030h]	5_2_012A65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA5D0 mov eax, dword ptr fs:[00000030h]	5_2_012DA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA5D0 mov eax, dword ptr fs:[00000030h]	5_2_012DA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E420 mov eax, dword ptr fs:[00000030h]	5_2_0129E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E420 mov eax, dword ptr fs:[00000030h]	5_2_0129E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129E420 mov eax, dword ptr fs:[00000030h]	5_2_0129E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129C427 mov eax, dword ptr fs:[00000030h]	5_2_0129C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01326420 mov eax, dword ptr fs:[00000030h]	5_2_01326420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA430 mov eax, dword ptr fs:[00000030h]	5_2_012DA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8402 mov eax, dword ptr fs:[00000030h]	5_2_012D8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8402 mov eax, dword ptr fs:[00000030h]	5_2_012D8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8402 mov eax, dword ptr fs:[00000030h]	5_2_012D8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C460 mov ecx, dword ptr fs:[00000030h]	5_2_0132C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CA470 mov eax, dword ptr fs:[00000030h]	5_2_012CA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CA470 mov eax, dword ptr fs:[00000030h]	5_2_012CA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CA470 mov eax, dword ptr fs:[00000030h]	5_2_012CA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135A456 mov eax, dword ptr fs:[00000030h]	5_2_0135A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DE443 mov eax, dword ptr fs:[00000030h]	5_2_012DE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129645D mov eax, dword ptr fs:[00000030h]	5_2_0129645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C245A mov eax, dword ptr fs:[00000030h]	5_2_012C245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A64AB mov eax, dword ptr fs:[00000030h]	5_2_012A64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132A4B0 mov eax, dword ptr fs:[00000030h]	5_2_0132A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D44B0 mov ecx, dword ptr fs:[00000030h]	5_2_012D44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0135A49A mov eax, dword ptr fs:[00000030h]	5_2_0135A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A04E5 mov ecx, dword ptr fs:[00000030h]	5_2_012A04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131C730 mov eax, dword ptr fs:[00000030h]	5_2_0131C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC720 mov eax, dword ptr fs:[00000030h]	5_2_012DC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC720 mov eax, dword ptr fs:[00000030h]	5_2_012DC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D273C mov eax, dword ptr fs:[00000030h]	5_2_012D273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D273C mov ecx, dword ptr fs:[00000030h]	5_2_012D273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D273C mov eax, dword ptr fs:[00000030h]	5_2_012D273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC700 mov eax, dword ptr fs:[00000030h]	5_2_012DC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0710 mov eax, dword ptr fs:[00000030h]	5_2_012A0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D0710 mov eax, dword ptr fs:[00000030h]	5_2_012D0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8770 mov eax, dword ptr fs:[00000030h]	5_2_012A8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0770 mov eax, dword ptr fs:[00000030h]	5_2_012B0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D674D mov esi, dword ptr fs:[00000030h]	5_2_012D674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D674D mov eax, dword ptr fs:[00000030h]	5_2_012D674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D674D mov eax, dword ptr fs:[00000030h]	5_2_012D674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01324755 mov eax, dword ptr fs:[00000030h]	5_2_01324755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E75D mov eax, dword ptr fs:[00000030h]	5_2_0132E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0750 mov eax, dword ptr fs:[00000030h]	5_2_012A0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2750 mov eax, dword ptr fs:[00000030h]	5_2_012E2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2750 mov eax, dword ptr fs:[00000030h]	5_2_012E2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A07AF mov eax, dword ptr fs:[00000030h]	5_2_012A07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013547A0 mov eax, dword ptr fs:[00000030h]	5_2_013547A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134678E mov eax, dword ptr fs:[00000030h]	5_2_0134678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C27ED mov eax, dword ptr fs:[00000030h]	5_2_012C27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C27ED mov eax, dword ptr fs:[00000030h]	5_2_012C27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C27ED mov eax, dword ptr fs:[00000030h]	5_2_012C27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A47FB mov eax, dword ptr fs:[00000030h]	5_2_012A47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A47FB mov eax, dword ptr fs:[00000030h]	5_2_012A47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E7E1 mov eax, dword ptr fs:[00000030h]	5_2_0132E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AC7C0 mov eax, dword ptr fs:[00000030h]	5_2_012AC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013207C3 mov eax, dword ptr fs:[00000030h]	5_2_013207C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A262C mov eax, dword ptr fs:[00000030h]	5_2_012A262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BE627 mov eax, dword ptr fs:[00000030h]	5_2_012BE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D6620 mov eax, dword ptr fs:[00000030h]	5_2_012D6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8620 mov eax, dword ptr fs:[00000030h]	5_2_012D8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B260B mov eax, dword ptr fs:[00000030h]	5_2_012B260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E2619 mov eax, dword ptr fs:[00000030h]	5_2_012E2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E609 mov eax, dword ptr fs:[00000030h]	5_2_0131E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA660 mov eax, dword ptr fs:[00000030h]	5_2_012DA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA660 mov eax, dword ptr fs:[00000030h]	5_2_012DA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136866E mov eax, dword ptr fs:[00000030h]	5_2_0136866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136866E mov eax, dword ptr fs:[00000030h]	5_2_0136866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D2674 mov eax, dword ptr fs:[00000030h]	5_2_012D2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BC640 mov eax, dword ptr fs:[00000030h]	5_2_012BC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC6A6 mov eax, dword ptr fs:[00000030h]	5_2_012DC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D66B0 mov eax, dword ptr fs:[00000030h]	5_2_012D66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4690 mov eax, dword ptr fs:[00000030h]	5_2_012A4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4690 mov eax, dword ptr fs:[00000030h]	5_2_012A4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0131E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0131E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0131E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0131E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013206F1 mov eax, dword ptr fs:[00000030h]	5_2_013206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013206F1 mov eax, dword ptr fs:[00000030h]	5_2_013206F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA6C7 mov ebx, dword ptr fs:[00000030h]	5_2_012DA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA6C7 mov eax, dword ptr fs:[00000030h]	5_2_012DA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132892A mov eax, dword ptr fs:[00000030h]	5_2_0132892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0133892B mov eax, dword ptr fs:[00000030h]	5_2_0133892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C912 mov eax, dword ptr fs:[00000030h]	5_2_0132C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298918 mov eax, dword ptr fs:[00000030h]	5_2_01298918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01298918 mov eax, dword ptr fs:[00000030h]	5_2_01298918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E908 mov eax, dword ptr fs:[00000030h]	5_2_0131E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131E908 mov eax, dword ptr fs:[00000030h]	5_2_0131E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E096E mov eax, dword ptr fs:[00000030h]	5_2_012E096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E096E mov edx, dword ptr fs:[00000030h]	5_2_012E096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012E096E mov eax, dword ptr fs:[00000030h]	5_2_012E096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01344978 mov eax, dword ptr fs:[00000030h]	5_2_01344978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01344978 mov eax, dword ptr fs:[00000030h]	5_2_01344978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C6962 mov eax, dword ptr fs:[00000030h]	5_2_012C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C6962 mov eax, dword ptr fs:[00000030h]	5_2_012C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C6962 mov eax, dword ptr fs:[00000030h]	5_2_012C6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C97C mov eax, dword ptr fs:[00000030h]	5_2_0132C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01320946 mov eax, dword ptr fs:[00000030h]	5_2_01320946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013289B3 mov esi, dword ptr fs:[00000030h]	5_2_013289B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013289B3 mov eax, dword ptr fs:[00000030h]	5_2_013289B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013289B3 mov eax, dword ptr fs:[00000030h]	5_2_013289B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A09AD mov eax, dword ptr fs:[00000030h]	5_2_012A09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A09AD mov eax, dword ptr fs:[00000030h]	5_2_012A09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B29A0 mov eax, dword ptr fs:[00000030h]	5_2_012B29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E9E0 mov eax, dword ptr fs:[00000030h]	5_2_0132E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D29F9 mov eax, dword ptr fs:[00000030h]	5_2_012D29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D29F9 mov eax, dword ptr fs:[00000030h]	5_2_012D29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136A9D3 mov eax, dword ptr fs:[00000030h]	5_2_0136A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013369C0 mov eax, dword ptr fs:[00000030h]	5_2_013369C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AA9D0 mov eax, dword ptr fs:[00000030h]	5_2_012AA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D49D0 mov eax, dword ptr fs:[00000030h]	5_2_012D49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134483A mov eax, dword ptr fs:[00000030h]	5_2_0134483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134483A mov eax, dword ptr fs:[00000030h]	5_2_0134483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov ecx, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C2835 mov eax, dword ptr fs:[00000030h]	5_2_012C2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DA830 mov eax, dword ptr fs:[00000030h]	5_2_012DA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C810 mov eax, dword ptr fs:[00000030h]	5_2_0132C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E872 mov eax, dword ptr fs:[00000030h]	5_2_0132E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132E872 mov eax, dword ptr fs:[00000030h]	5_2_0132E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336870 mov eax, dword ptr fs:[00000030h]	5_2_01336870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336870 mov eax, dword ptr fs:[00000030h]	5_2_01336870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B2840 mov ecx, dword ptr fs:[00000030h]	5_2_012B2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4859 mov eax, dword ptr fs:[00000030h]	5_2_012A4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A4859 mov eax, dword ptr fs:[00000030h]	5_2_012A4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D0854 mov eax, dword ptr fs:[00000030h]	5_2_012D0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0887 mov eax, dword ptr fs:[00000030h]	5_2_012A0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132C89D mov eax, dword ptr fs:[00000030h]	5_2_0132C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136A8E4 mov eax, dword ptr fs:[00000030h]	5_2_0136A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC8F9 mov eax, dword ptr fs:[00000030h]	5_2_012DC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DC8F9 mov eax, dword ptr fs:[00000030h]	5_2_012DC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CE8C0 mov eax, dword ptr fs:[00000030h]	5_2_012CE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CEB20 mov eax, dword ptr fs:[00000030h]	5_2_012CEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CEB20 mov eax, dword ptr fs:[00000030h]	5_2_012CEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01368B28 mov eax, dword ptr fs:[00000030h]	5_2_01368B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01368B28 mov eax, dword ptr fs:[00000030h]	5_2_01368B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131EB1D mov eax, dword ptr fs:[00000030h]	5_2_0131EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0129CB7E mov eax, dword ptr fs:[00000030h]	5_2_0129CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134EB50 mov eax, dword ptr fs:[00000030h]	5_2_0134EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336B40 mov eax, dword ptr fs:[00000030h]	5_2_01336B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01336B40 mov eax, dword ptr fs:[00000030h]	5_2_01336B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0136AB40 mov eax, dword ptr fs:[00000030h]	5_2_0136AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01348B42 mov eax, dword ptr fs:[00000030h]	5_2_01348B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354B4B mov eax, dword ptr fs:[00000030h]	5_2_01354B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354B4B mov eax, dword ptr fs:[00000030h]	5_2_01354B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354BB0 mov eax, dword ptr fs:[00000030h]	5_2_01354BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01354BB0 mov eax, dword ptr fs:[00000030h]	5_2_01354BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0BBE mov eax, dword ptr fs:[00000030h]	5_2_012B0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0BBE mov eax, dword ptr fs:[00000030h]	5_2_012B0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132CBF0 mov eax, dword ptr fs:[00000030h]	5_2_0132CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CEBFC mov eax, dword ptr fs:[00000030h]	5_2_012CEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8BF0 mov eax, dword ptr fs:[00000030h]	5_2_012A8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8BF0 mov eax, dword ptr fs:[00000030h]	5_2_012A8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8BF0 mov eax, dword ptr fs:[00000030h]	5_2_012A8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134EBD0 mov eax, dword ptr fs:[00000030h]	5_2_0134EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C0BCB mov eax, dword ptr fs:[00000030h]	5_2_012C0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C0BCB mov eax, dword ptr fs:[00000030h]	5_2_012C0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C0BCB mov eax, dword ptr fs:[00000030h]	5_2_012C0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0BCD mov eax, dword ptr fs:[00000030h]	5_2_012A0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0BCD mov eax, dword ptr fs:[00000030h]	5_2_012A0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0BCD mov eax, dword ptr fs:[00000030h]	5_2_012A0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012CEA2E mov eax, dword ptr fs:[00000030h]	5_2_012CEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA24 mov eax, dword ptr fs:[00000030h]	5_2_012DCA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA38 mov eax, dword ptr fs:[00000030h]	5_2_012DCA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C4A35 mov eax, dword ptr fs:[00000030h]	5_2_012C4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012C4A35 mov eax, dword ptr fs:[00000030h]	5_2_012C4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0132CA11 mov eax, dword ptr fs:[00000030h]	5_2_0132CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA6F mov eax, dword ptr fs:[00000030h]	5_2_012DCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA6F mov eax, dword ptr fs:[00000030h]	5_2_012DCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DCA6F mov eax, dword ptr fs:[00000030h]	5_2_012DCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131CA72 mov eax, dword ptr fs:[00000030h]	5_2_0131CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0131CA72 mov eax, dword ptr fs:[00000030h]	5_2_0131CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0134EA60 mov eax, dword ptr fs:[00000030h]	5_2_0134EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0A5B mov eax, dword ptr fs:[00000030h]	5_2_012B0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012B0A5B mov eax, dword ptr fs:[00000030h]	5_2_012B0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A6A50 mov eax, dword ptr fs:[00000030h]	5_2_012A6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8AA0 mov eax, dword ptr fs:[00000030h]	5_2_012A8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A8AA0 mov eax, dword ptr fs:[00000030h]	5_2_012A8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F6AA4 mov eax, dword ptr fs:[00000030h]	5_2_012F6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012AEA80 mov eax, dword ptr fs:[00000030h]	5_2_012AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01374A80 mov eax, dword ptr fs:[00000030h]	5_2_01374A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D8A90 mov edx, dword ptr fs:[00000030h]	5_2_012D8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DAAEE mov eax, dword ptr fs:[00000030h]	5_2_012DAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012DAAEE mov eax, dword ptr fs:[00000030h]	5_2_012DAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F6ACC mov eax, dword ptr fs:[00000030h]	5_2_012F6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F6ACC mov eax, dword ptr fs:[00000030h]	5_2_012F6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012F6ACC mov eax, dword ptr fs:[00000030h]	5_2_012F6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012A0AD0 mov eax, dword ptr fs:[00000030h]	5_2_012A0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4AD0 mov eax, dword ptr fs:[00000030h]	5_2_012D4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4AD0 mov eax, dword ptr fs:[00000030h]	5_2_012D4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01328D20 mov eax, dword ptr fs:[00000030h]	5_2_01328D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01358D10 mov eax, dword ptr fs:[00000030h]	5_2_01358D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01358D10 mov eax, dword ptr fs:[00000030h]	5_2_01358D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BAD00 mov eax, dword ptr fs:[00000030h]	5_2_012BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BAD00 mov eax, dword ptr fs:[00000030h]	5_2_012BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012BAD00 mov eax, dword ptr fs:[00000030h]	5_2_012BAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_012D4D1D mov eax, dword ptr fs:[00000030h]	5_2_012D4D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01296D10 mov eax, dword ptr fs:[00000030h]	5_2_01296D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01296D10 mov eax, dword ptr fs:[00000030h]	5_2_01296D10

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Memory allocated: page read and write | page guard

Adds a directory exclusion to Windows Defender

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO STS_2184_06_2024.exe"			Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Users\user\Desktop\PO STS_2184_06_2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO STS_2184_06_2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2630248642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2630538405.0000000000D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality